Slashdot Mirror


WordPress Exploit Allows Admin Password Reset

Multiple readers have sent word of a vulnerability in WordPress 2.8.3 which allows anyone to lock an admin out of his or her account by resetting the password. "The bug ... is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required." An alert on the Full Disclosure mailing list detailed the vulnerability, and WordPress quickly rolled out version 2.8.4 to address the issue.

1 of 100 comments (clear)

  1. The great fallacy of root passwords by BadAnalogyGuy · · Score: -1, Redundant

    None of my systems have root passwords. But I am not vulnerable.

    While this may, at first glance, seem to be foolhardy, the key to this is that there are no root accounts on any of my systems. A root account is itself the biggest vulnerability, exploitable by any root-access flaw. By removing the account and accounts like it, there is no surface area to attack. At least, there is no vulnerability that puts my whole system at risk.

    Is it difficult to work without root access? No, not really. The key is to take frequent backups to return the system to a known state if there is any chance of infiltration.