Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
Other PHP apps are susceptible to this class of attack. To protect all of your apps, grab the latest version of Suhosin. If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit. You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized.
2.6.2 also contains a handful of bug fixes. Check out the full changeset and list of changed files.
September 8th, 2008 | Posted in Uncategorized | Comments Off
Hello everyone. I would like to inform you all that I have started a new website where I will be releasing a set of premium wordpress themes. These themes will be available on a membership basis - only $19.95 for unlimited access. The website, Elegant Wordpress Themes, will be dedicated to releasing only the highest quality themes, with the highest standard of design. Take a look at my latest templates below, or view the entire collection in the Elegant WPT Gallery.
Preview | Join Today
Preview | Join Today
Preview | Join Today
Preview | Join Today
Preview | Join Today
September 3rd, 2008 | Posted in Free Website Templates, Free WordPress Layouts, WordPress Video Tutorials | No Comments
With 2.6.1, we’re continuing our trend of releasing a maintenance release shortly after a major release in order to get fixes for the inevitable “dot zero” bugs into your hands without a long wait. If you’re happy with 2.6, however, keep on using it. You need not upgrade to 2.6.1 if 2.6 is getting the job done.
2.6.1 offers several improvements for international users. Styling of the admin for right-to-left languages is much improved thanks to the efforts of the Farsi and Hebrew translation teams, and a mysterious gettext bug caused by certain PHP configurations is now fixed. For IIS users, 2.6.1 fixes several permalink problems. Image insertion problems in the Press This feature experienced by IE users are also fixed. Of note to everyone is a fix for a performance bug in the admin where those with a lot of plugins would experience slowness on some pages.
Check out the full list of over 60 fixes to see if 2.6.1 has something to offer you. A full diff and list of changed files is also available. Download 2.6.1 and enjoy.
August 15th, 2008 | Posted in Uncategorized | Comments Off
