Wordpress users beware! [Vulnerability]

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Ecchi22
    Too lazy to set a custom title
    • Nov 2005
    • 10012

    #1

    Wordpress users beware! [Vulnerability]

    There's new Wordpress exploit out there that can be dangerous..

    Affected version is the newest one (2.6.1) and it works only if you have enabled user registration option.. It is disabled by default, so if you don't know what it is, relax.. But if you have it turned on, I'd recommend you to disable it for now, until someone post solution to this.

    Attacker can change the Administrator password (but the real admin will receive the new password on his e-mail, so you'll notice it for sure)

    Source: http://www.milw0rm.com/exploits/6397

  • Ecchi22
    Too lazy to set a custom title
    • Nov 2005
    • 10012

    #2
    If you wanna check if your blog have registration enabled just go to yourblog.com/wp-login.php?action=register

    Comment

    • Aussie Rebel
      Blow Me U Geeks
      • Aug 2001
      • 5108

      #3
      thanks and bump

      Comment

      • klaze
        So Fucking Banned
        • May 2008
        • 2167

        #4
        my enemie's site: "User registration is currently not allowed." darn.

        Comment

        • Angry Jew Cat - Banned for Life
          (felis madjewicus)
          • Jul 2006
          • 20368

          #5
          wordpress has got more holes than your local country club

          Comment

          • mynameisjim
            Confirmed User
            • Aug 2007
            • 2985

            #6
            Originally posted by Angry Jew Cat
            wordpress has got more holes than your local country club
            No kidding. I wish they would just focus on making it secure instead of adding new features which are pretty useless. It should be a bare bones, secure foundation to which you can add plugins.
            jim (at) amateursconvert . com Amateurs Convert

            Comment

            • beta-tester
              Rock 'n Roll Baby!
              • Sep 2004
              • 22562

              #7
              Thanks for heads up man!

              Sig for sale. Affordable prices. Contact me and get a great deal ;)

              My contact:
              ICQ: 944-320-46
              e-mail: manca {AT} HotFreeSex4All.com

              Comment

              • AlienQ - BANNED FOR LIFE
                best designer on GFY
                • Mar 2003
                • 30307

                #8
                Man I can not imagine the numbers of retards that spends weeks on weeks and in some cases months on months to find some silly nuance to take advantage of a software script online.

                Thats life that needs a life. Fucking sad pathetic useless people.
                But ya goto love it makes the software more secure in the long run.

                All my blogs got that shit turned off though
                THanks for the heads
                Last edited by AlienQ - BANNED FOR LIFE; 09-08-2008, 01:24 AM.

                Comment

                • MoreMagic
                  Confirmed User
                  • Feb 2006
                  • 2851

                  #9
                  Hee stop playing security agent, still waiting on our themes

                  Originally posted by Ecchi22
                  There's new Wordpress exploit out there that can be dangerous..

                  Affected version is the newest one (2.6.1) and it works only if you have enabled user registration option.. It is disabled by default, so if you don't know what it is, relax.. But if you have it turned on, I'd recommend you to disable it for now, until someone post solution to this.

                  Attacker can change the Administrator password (but the real admin will receive the new password on his e-mail, so you'll notice it for sure)

                  Source: http://www.milw0rm.com/exploits/6397

                  Comment

                  • kmanrox
                    aka K-Man
                    • Oct 2001
                    • 29295

                    #10
                    ive notified the wp devs just in case they didnt know
                    Crypto HODLr
                    Crypto mining
                    Angel investor

                    Comment

                    • The Duck
                      Adult Content Provider
                      • May 2005
                      • 18243

                      #11
                      thank you dude
                      Skype Horusmaia
                      ICQ 41555245
                      Email [email protected]

                      Comment

                      • seeandsee
                        Check SIG!
                        • Mar 2006
                        • 50945

                        #12
                        thanks, to the top
                        BUY MY SIG - 50$/Year

                        Contact here

                        Comment

                        • Ecchi22
                          Too lazy to set a custom title
                          • Nov 2005
                          • 10012

                          #13
                          Originally posted by MoreMagic
                          Hee stop playing security agent, still waiting on our themes
                          I'm really sorry for the huge delay! We'll talk on ICQ, my friend's PC crashed and he lost his HDD but somehow he managed to backup the files, hope I can finish them soon enough.

                          Comment

                          • u-Bob
                            there's no $$$ in porn
                            • Jul 2005
                            • 33063

                            #14
                            no surprise there... wp is one of the crappiest pieces of code out there...

                            Comment

                            • V_RocKs
                              Damn Right I Kiss Ass!
                              • Nov 2003
                              • 32449

                              #15
                              Sends the new password to the real admins email.. not your own...

                              Comment

                              Working...