Yesterday, WordPress 2.6.2 was released to address the SQL Column Truncation and mt_rand() vulnerabilities. This release also includes a few other minor bug fixes. (Details of other bug fixes can be found here)
Here’s an excerpt from the WordPress blog to give you an idea on how the vulnerabilities can be used to attack blogs with open user registration.
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
If you implement open user registration on your blog, then you definitely have to update to WordPress 2.6.2 immediately. Although this is not a very serious security risk, if you don’t update your WordPress installation there’s a possibility that someone would use this vulnerability and be able to guess the generated password, gain access to your blog and mess it up. You wouldn’t want that to happen don’t you?
By the way for those of our friends who are new to WordPress and aren’t sure whether their blogs have open user registration or not, here’s how you can check: In your WordPress dashboard, go to Settings and under the General tab look for Membership options. If the “Anyone can register” option has a check on it then it means your blog is using open user registration. To disable it, just uncheck it and click on the Save Changes button below.
If you don’t have open user registration on your blog and don’t mind spending time doing an upgrade, then go ahead. Nothing wrong with keeping your WordPress installation up-to-date. Personally, I’d rather wait for WordPress 2.7 which is schedule to be released in November unless of course there’s a security release like WordPress 2.2.3, then I’d most certainly do an upgrade.
@Joie – I’m still thinking whether to update to WP 2.6.2 or not since I don’t have open user registration. Most likely I’ll just wait for WP 2.7 which I’ll be talking about in one of my next posts. :)
I havent updated to 2.6.2 yet.. Im waiting for you to update.. :) anyhow thanks for the information.
@jhay – Its mandatory for blogs using open user registration to update to WP 2.6.2. Better safe than sorry. :)
Had this fixed once the new version came out. Two of the WP blogs I maintain have open registration and it’s just prudent and wise to update ASAP. :wink: