If you don’t know by now, WordPress 2.8.4 has hit the public and it addresses a mild but hugely annoying issue. There was no advanced warning regarding the vulnerability but it was quickly patched in the core of WordPress for the next release. Unfortunately, word quickly spread and in fact, even my site WPTavern.com was affected by the problem as I received an email letting me know what my new password was even though I didn’t request one. Here are the details regarding the annoyance:
a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.
Thus WordPress 2.8.4. However, there are certain ways in which to respectfully report security vulnerabilities. An article on the vulnerability published by Programmerfish.com in my opinion did more harm than good. The article discusses the vulnerability, explains how to put it in practice, then goes on to show some examples of the vulnerability in action which the author performed on sites they didn’t own. The author tries to justify his/her actions by stating that it was just a proof-of-concept. The author has taken plenty of heat from folks in the comments which I believe to be appropriate.
The Correct Way:
If you discover a security problem with WordPress, this is the correct way to go about it. If you believe you’ve found a security problem in a release of WordPress please send mail to security at the WordPress.org domain and we’ll do our best to address it as soon as possible.
It is standard practice to notify the vendor (the WordPress developers, in this case) of a security problem before publicizing so a fix can be prepared and public damage due to the vulnerability minimized.
If you would like to see this method put into practice, check out the report time line from CoreLabs, a research and development company that discovered the privileges unchecked in admin.php problem which lead to the release of WordPress 2.8.1. They notified the WordPress team on June 6th of the problem. By communicating back and forth, the issue was resolved by July 8th. A day after, the new versions of WordPress and WordPress MU were released to the public to minimize damage of the exploit. In this situation, everyone wins.