So you guys still on 2.6.1 version? Well, be aware. There ‘re 2 vulnerabilities marked as dangerous as it would allow attacker to reset the password of another user. Stefan Esser of suspekt.org recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().
With his help ,Wordpress team worked around these problems and were releasing WordPress 2.6.2, last September 8, 2008. Yeah, I know, i ‘m a bit late to write this, but it’s always better be late then not knowing at all, right?
Should I upgrade?
If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser has already release details of the complete attack, both for SQL Column Truncation and the weakness of mt_rand(). The attack is difficult to accomplish, but its mere possibility means, upgrading to 2.6.2 is recommended.
Some bloggers and sys admin with open registration feature for their site or blog, has closed their registration temporarily until they got chances to upgrade to 2.6.2. Wiser choice I must say, couldn’t agree more.
Version 2.6.2 Bugs, Fixes and Security Patches
There ‘re some bugs found for 2.6.1 or previously 2.6, and the 2.6.2 have all the fixes and security patches. If you ‘re interested to take a look at the 2.6.2 bugs and fixes list, headed to this page of that contains a handful of bug fixes.
So, wait no more, upgrade now! For all of you who upgrade it already, congrats!
[ Indonesian version → ]
→ 
September 26th, 2008
8:58 am
Wordpress 2.6.1 Bugs Super Bahaya, Upgrade ke 2.6.2 Sekarang! | Djarot Studio said :
[...] English Version → [...]
October 7th, 2008
12:52 am
what-is-a-blog? said :
thanks for sharing all these info!
October 7th, 2008
12:57 am
djarot said :
Sure thing. Thanks for stopping by
October 18th, 2008
2:08 pm
badboys said :
waduh tak tunggu2 ilmu back link ama SEOnya kok malah jarang update
October 18th, 2008
2:38 pm
djarot said :
Heiss.. Lagi sibuk abis ni mas. Kerjaan ga pernah senggang. Beratnya seh enggak, deadlinenya yg pada mepet semua tuh loh yg bikin bener² gaiso bernapas.
Ntar tak relax dulu barang sehari 2hari buat update, sapa tau client pada mau di-re-schedule-in. Yah, paling enggak nunggu smp project terakhir kelar kali yak, ga enak ama yg kasi kerjaan klo minta mundur dr deadline yg udah disepakatin.
Ehm, thanks berat udah nungguin btw..
October 19th, 2008
9:07 am
Ardhindie said :
Well..Thanks for sharing…I need to give you a backlink from my blog…hope you add me too…
Regards,
Ardhi
October 19th, 2008
9:43 am
djarot said :
Sure do. I ‘ll add yours real soon.
Cool blog you have btw..
Thanks for stopping by buddy
October 23rd, 2008
6:32 pm
Alan K said :
Thanks for the update. I may have to go do some upgrading
November 3rd, 2008
10:23 am
Andy Walpole said :
Wordpress is always having to report these security flaws.
It is a well-written script so I guess it must be enemy #1 (due to its popularity) for all the hackers and crackers out there.
November 3rd, 2008
11:21 am
djarot said :
Uh huh, you got it right buddy. Not just hackers and crackers as far as I know. All coders in this planet are pretty anxious to test all flaws on this one. You know, to get this world a better written codes..
But no, not me, that’s for sure. I ‘m too lazy to inspect anything. Well, maybe someday.. but, not in the near future.
Thanks for stopping by.
November 20th, 2008
1:09 am
Cheap-Hotel-Dubai said :
Thanks for sharing and updating information. It means i also need to upgrade with 2.6.2 version.
I also real about wordpress security patches somewhere but i ignore.
thanks again….