Today we received a security notice:
Affected package: wordpress-2.8.2,1
Type of problem: wordpress — remote admin password reset vulnerability.
Description:
WordPress reports:A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.
References:
- URL: <http://wordpress.org/development/2009/08/2-8-4-security-release/>
- URL: <http://www.milw0rm.com/exploits/9410>
Affects:
- wordpress <2.8.4,1
- de-wordpress <2.8.4
- wordpress-mu <2.8.4a
Our installations of WordPress and WordPress-MU have been updated.
In addition, a review of our logs revealed several hack attempts using admin_topic_action_logging.php. Apparently some IBM systems are vulnerable to this exploit. The offending IPs have been banned from our server.