这个wordpress更新得也太频繁了吧,已经跟不上他的脚步了。按照官方的说法,如果你的blog开放了用户注册,请记得一定要更新到这个最新的2.6.2版本。原文部分如下:
If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
如果你的blog开放了用户注册,在2.6.1以及之前的版本,新注册的用户可以想办法重新设置其他用户的密码,由于mt_random()函数本身的弱点,导致攻击者可能据此猜测出被攻击注册用户的密码。虽然这个问题并不是很容易的发生,但是还是建议开放注册用户的blog升级该程序,下载地址:Download WordPress 2.6.2
标签:Wordpress
升级了,呵呵