Today while I was checking my mails. I saw that one of our visitors has sent me an e-mail including the definition of security hole in WordPress 2.6.1. I was shocked because its really easy to apply. After I saw that I logged in my wp-admin page for this site and I realized Wordpress has realeased the version of 2.6.2. I think they also heard this security hole and they have fixed it.

The security hole is this : imagine a blog site using wordpress 2.6.1 and its web address is www.computersake.com , when you type in your address bar www.computersake.com/wp-login.php?action=register the new user registration page comes up !

After that we type our user name as “admin                                                       x” be carefull there is 52 space characters between “x” and “admin”. So after that type your e-mail address to the next textbox and say register. by doing this we are duplicating the “admin” username. Your password will come to your e-mail address soon. But you will not able to login with this information. So open the same page again and click “forgot password” type in your own e-mail address and your will recieve the link to reset the admin password. Once you click the reset link, the new password will be generated and will be sent to the real owner of the website. You can only annoy the admin by doing this. There is nothing you can benefit from this. But still its a security hole. Because anyone can reset the admin’s password.

How can you solve this problem ?
1) Upgreade your wordpress to 2.6.2
2) Change your blog settings and dont allow anyone to be registered.

regards

Related posts brought to you by Yet Another Related Posts Plugin.