Well yea, wordpress known as one of the open source cms vendor with really really good care of their security, so if they release something new, it must’ve been a security fix, or features improvements. Version 2.8.6, is one of its release from their security fix outlet.

There are 2 Security Fixes:

From official wordpress blog regarding this WordPress 2.8.6 Security Release :

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

Plain english would be read like this : There re 2 security problems which could be exploited by one of your registered user – with posting privileges and logged in. So actually, this security problem is an exploitable problem by someone who’s already in (logged in as a registered user), and has posting privilege (authors, editors, or other user with custom privileges with posting ability in it.) Long story short : Exploitable by inside man.

The 2 Security Problems Are

1. An XSS vulnerability in Press This discovered by Benjamin Flesch.
2. An issue with sanitizing uploaded file names that can be exploited in certain Apache configurations, discovered by Dawid Golunski.

Be advise, IF you guys have a blog with multiple authors, and there’s a possibility one of them has a possibility to go “bad”, this release is definitely recommended for you.
Alrite.. catch up with you later!

Stefan Esser of suspekt.org recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().

With his help, WordPress team worked around these problems and were releasing WordPress 2.6.2, last September 8, 2008. Yeah, I know, i ‘m a bit late to write this, but it’s always better be late then not knowing at all, right?

Should I upgrade?

If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser has already release details of the complete attack, both for SQL Column Truncation and the weakness of mt_rand(). The attack is difficult to accomplish, but its mere possibility means, upgrading to 2.6.2 is recommended.

Some bloggers and sys admin with open registration feature for their site or blog, has closed their registration temporarily until they got chances to upgrade to 2.6.2. Wiser choice I must say, couldn’t agree more.

Version 2.6.2 Bugs, Fixes and Security Patches

There ‘re some bugs found for 2.6.1 or previously 2.6, and the 2.6.2 have all the fixes and security patches. If you ‘re interested to take a look at the 2.6.2 bugs and fixes list, headed to this page of that contains a handful of bug fixes.

So, wait no more, upgrade now! For all of you who upgrade it already, congrats!

[ Indonesian version → ]