For the last few weeks, I've been getting hundreds of registrations here, and given (a) there's no reason to register except to post a comment, and (b) there aren't very many comments posted, I figured something was up. Until yesterday, though, I didn't know what was going on. Now, thanks to the WordPress 2.6.2 release, I do:
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
In other words, by registering often enough with specially-crafted usernames, you may eventually be able to force the admin user's password to be reset to something random, and you may know that random password. Scary stuff. So today, I upgraded to 2.6.2, and cleaned out the vast majority of recently-created accounts.
If you'd signed up for a legit account and I zapped it, please just register again -- and sorry for the inconvenience.
Rob;
My id no longer works. I tried to re-register, but it says I still exist. I tried to reset my passwor, but it won't accept the new password.
Thanks for finding a problem with a new plug-in I added -- it deactivated all the accounts that existed prior to installation! That problem is fixed now.
-rob.
Comments are closed.