1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Update your WP 2.8.3 installations immediately.

Discussion in 'Blogging' started by lizmoz, Aug 12, 2009.

  1. lizmoz

    lizmoz Power Member

    Joined:
    Oct 10, 2008
    Messages:
    560
    Likes Received:
    328
    Code:
    http://www.theregister.co.uk/2009/08/12/wordpress_password_reset_bug/
    """
    The bug in version 2.8.3 is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required
    """

    Kind of worth updating if you happen to have this. :)
     
  2. kingbrend

    kingbrend Regular Member Premium Member

    Joined:
    Feb 12, 2008
    Messages:
    427
    Likes Received:
    113
    Home Page:
    Just stick to 2.7.1 .. this is why I haven't updated the blogs yet..
     
  3. iglow

    iglow Elite Member

    Joined:
    Feb 20, 2009
    Messages:
    2,081
    Likes Received:
    856
    Home Page:
    yep i run my all blogs on 2.7.1 ;)
     
  4. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,128
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
  5. mbceo

    mbceo Junior Member

    Joined:
    Feb 9, 2009
    Messages:
    164
    Likes Received:
    25
    Thanks for the heads up. The OP is just letting people know if they have 2.8.3, then update again. This is not about which version of WP is the best.
     
  6. mechasheba

    mechasheba Junior Member

    Joined:
    May 19, 2009
    Messages:
    107
    Likes Received:
    52
    So, 2.8.2 is not affected?
     
  7. 0wned

    0wned Newbie

    Joined:
    Jul 14, 2009
    Messages:
    26
    Likes Received:
    21
    Occupation:
    Web Developer
    Location:
    London
    just updated luckily enough, kind of worrying when these sort of bugs appear
     
  8. dnyce

    dnyce Newbie

    Joined:
    Jun 27, 2009
    Messages:
    4
    Likes Received:
    1
    I was thinking about updating all of my blogs this weekend. Think i'll just stick with 2.7.1 for now.
     
  9. jmascis

    jmascis Registered Member

    Joined:
    Feb 11, 2009
    Messages:
    71
    Likes Received:
    17
    Thanks for the heads up.
     
  10. ruler0fall

    ruler0fall Power Member

    Joined:
    May 17, 2009
    Messages:
    565
    Likes Received:
    263
    I'm at 2.8.4 with both mu and normal wp
     
  11. orangeblossoms

    orangeblossoms Regular Member

    Joined:
    Jun 16, 2009
    Messages:
    228
    Likes Received:
    247
    Does this still matter if you replace your WP version - ie it's faked?

    I use this plugin -
    Code:
    http://wordpress.org/extend/plugins/replace-wp-version/
     
  12. funktrust

    funktrust Regular Member

    Joined:
    Apr 3, 2009
    Messages:
    208
    Likes Received:
    54
    Occupation:
    Cisco Engineer
    Location:
    Sydney
    2.7.1 for the win :)
     
  13. bzy39

    bzy39 Regular Member

    Joined:
    Jan 15, 2009
    Messages:
    434
    Likes Received:
    239
    well, u can update to new version, 2.8.4 has come out and bug has been fixed
     
  14. lovewap

    lovewap Newbie

    Joined:
    Feb 10, 2009
    Messages:
    48
    Likes Received:
    22
    thx,i use wp 2.7.1
     
  15. Sweetfunny

    Sweetfunny Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 13, 2008
    Messages:
    1,747
    Likes Received:
    5,039
    Location:
    ScrapeBox v2.0
    Home Page:
    This doesn't compromise your admin, it resets your pass and you don't get an email meaning you can't login then have to reset it again.

    There's sufficient sanitized code to stop a full bypass, so no real reason to panic and start updating 500 blogs (thankfully).
     
  16. shimi

    shimi Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 1, 2009
    Messages:
    267
    Likes Received:
    41
    where i can find to donload wp 2.7.1 ?
    i dont want the new version
     
  17. lovewap

    lovewap Newbie

    Joined:
    Feb 10, 2009
    Messages:
    48
    Likes Received:
    22
    http://wordpress.org/download/release-archive/
     
  18. HairSpray

    HairSpray Junior Member

    Joined:
    Nov 21, 2008
    Messages:
    118
    Likes Received:
    25
    yeap same here. i sell blogs and still use 2.7.1

    edit: get disable wordpress core update and you're golden
     
  19. xxMP3xx

    xxMP3xx Regular Member

    Joined:
    May 19, 2009
    Messages:
    368
    Likes Received:
    46
    Location:
    <?php return 'CPU'; ?>
    It will only reset the password but not show it to anyone :)
     
  20. lizmoz

    lizmoz Power Member

    Joined:
    Oct 10, 2008
    Messages:
    560
    Likes Received:
    328
    Yah the original news was actually inaccurate and has been updated since. It first stated that 2.8.3 blogs can be taken over just like that, just wanted to warn ppl. That would've been a "goldmine" for some assholes.