My Security Planet » BlogSecurity » April 16, 2008

Feeds

13607 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

• Opensourcetesting.org News

BlogSecurity

• 

  WordPress 2.5 Secret_Key Vulnerability

  Posted: April 16th, 2008, 4:20am CDT by DK

  Tags:  Advisories   [edit]

  José Carlos Nieto Jarquín has found a vulnerability affecting WordPress 2.5 ONLY. His advisory was released on SecurityFocus yesterday.

  Our recent "Secure WordPress Whitepaper Revision" shows the new WordPress SECRET_KEY variable in the ‘wp-config.php’ file. This SECRET_KEY must be set to something random, as specified in the WordPress documentation. If not, it may be possible for an attacker to brute force the default WordPress SALT generation process to gain access to your blog.

  The vulnerability has been reported as a Medium risk as it only affects WordPress installations matching a certain criteria. See advisory for more details.

  A proof of concept exploit is publicly available. Please ensure that you set your SECRET_KEY in your ‘wp-config.php’ file to something random.

  From wp-config.php:

  Change SECRET_KEY to a unique phrase.  You won't have to remember
  it later, so make it long and complicated.  You can visit
  https://www.grc.com/passwords.htm to get a phrase generated for you,
  or just make something up.
  define('SECRET_KEY', 'put your unique phrase here');
  

  

  

TOP RSS Gregarius 0.5.4 Tentatively valid XHTML1.0, CSS2.0 Last update: Mon May 21 12:13:42 2012