=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN325
_____________________________________________________________________

DATE                      : 12/08/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running WordPress versions prior to 2.8.4.

======================================================================
http://wordpress.org/development/2009/08/2-8-4-security-release/
______________________________________________________________________


WordPress 2.8.4: Security Release
Posted August 12, 2009 by Matt. Filed under Releases, Security.

Yesterday a vulnerability was discovered: a specially crafted URL could
be requested that would allow an attacker to bypass a security check to
verify a user requested a password reset. As a result, the first account
without a key in the database (usually the admin account) would have its
password reset and a new password would be emailed to the account owner.
This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and
looking for other problems since then. Version 2.8.4 which fixes all
known problems is now available for download and is highly recommended
for all users of WordPress.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================