José Carlos Nieto Jarquín reported a vulnerability WP 2.5:
He published an advisory on SecurityFocus on 15 Apr 2008 regarding insecurity regarding the default SECRET_KEY configuration value. You could gain access to any account if you know the default SECRET_KEY value on a system where SECRET_KEY is left with default value.
Read about the vulnerability in Wordpress 2.5 on Securityfocus
To generate a random new SECRET_KEY for your configuration file, you can go
here.
The default wp-config.php sais:
Change SECRET_KEY to a unique phrase. You won't have to remember
it later, so make it long and complicated. You can visit
https://www.grc.com/passwords.htm to get a phrase generated for you,
or just make something up.
define('SECRET_KEY', 'put your unique phrase here');Here is a example of what you could put in your SECRET_KEY
define('SECRET_KEY', 'b<r4 c/.I.?d+3<cW$DITK79.Aiq~W]Xk.!D^ic]O]ppxSgy+o\'gT\\r+*t0Kqlq:');
Recent Comments