The folks at WordPress just released the 2.6.2 security update, that protects from a susceptibility in all PHP programs, SQL Column Truncation, which could allow malicious hackers to reset other users’ accounts. If you allow open user registration on your WordPress-powered blog, then this is a mandatory upgrade. If registration is closed, then you don’t need to worry about this one. From Ryan Boren:
Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.
Special Offer for Urgent Security Upgrades
Need help upgrading your core software? The normal cost for a core software update is $45, but to help you get your blog secure again, if you get in touch before midnight PST Saturday, September 13, I’ll offer a special discounted upgrade of your core files for just $25.
[source: WordPress 2.6.2 on the WordPress Development Blog]
It appears that many WordPress-powered sites across the net are still running an older version of the software that has become vulnerable to security issues. I’ve personally seen this issue crop up when I’ve clicked through on the titles of a few RSS feeds that pointed to spam links, not the originating blog. If you’re not running the latest version of WordPress, take a look at your feeds to be sure your site isn’t compromised. Not only is this a bad thing for your users, but Technorati has stopped tracking many of these blogs, as will the search engines.
Technorati staffer Ian Kallen had this to say:
“This is a follow up on our post regarding a problem affecting thousands of WordPress blogs, Patch or Upgrade Your Wordpress Installation, Now. WordPress has since released version 2.5. However, we’ve noticed that a large number of blogs remain vulnerable to the security issue addressed by the 2.3.3 release.
Blogs that have been compromised by this security vulnerability are typified by having links to spam destinations inserted onto the blog page. These link insertions may be invisible to casual observations; the links are often obscured by style attributes that render them invisible. These links are still seen by crawlers such as Technorati’s, Google’s and Yahoo’s. You can find these links by viewing the source of the blog pages or, when using Firefox, looking under “Tools” -> “Page Info” -> “Links”. Blogs hosted on wordpress.com are not affected by this issue; only blogs hosted on their own installations of WordPress from wordpress.org require concern.
Because of this ongoing problem, we’re discontinuing processing crawls of blogs that exhibit common symptoms of being compromised. We strongly recommend upgrading your WordPress installation. Even if you haven’t been afflicted by a compromise, by the time you are aware that you have been a number of negative consequences may have already occurred (for instance, flagged spam by Technorati, Google or Yahoo!) — this has been reported by many WordPress users.
If you have questions about installing WordPress or maintaining a WordPress installation, please refer to the WordPress Documentation or the WordPress Forums. If you feel that your blog is not vulnerable to this hack but your WordPress blog is not being updated, please contact Technorati support staff.”
Special Offer for Urgent Security Upgrades
The normal cost for a complete software update is $65, but for clients who are still running WordPress 2.3.2 or below ONLY, to help you get your blog secure again I’ll be offering a special discounted upgrade of your core files and plugins for just $35, but you must contact me before midnight PST Saturday, August 9.
[source: Vulnerable WordPress Blogs Not Being Indexed on Technorati Weblog]
Local Time:
Follow 
