Full Disclosure mailing list archives
Re: WordPress <= 2.8.3 Remote admin reset password
From: g30rg3_x <g30rg3x () gmail com>
Date: Tue, 11 Aug 2009 00:13:24 -0500
Bug is confirmed... WP team already issued and a patch http://core.trac.wordpress.org/changeset/11798 Nice find. Regards 2009/8/11 laurent gaffie <laurent.gaffie () gmail com>:
Mr Fabio, You dont even understand the bug, so please shut the hell up. 2009/8/11 Fabio N Sarmento [ Gmail ] <fabior2 () gmail com>if this is an bug, please close Twitter.com, MSN.com and other services, because they have the same stupid "Reset password" service. So please make my day, and create a stupid script to flood with mutiple request to reset password. LOL 2009/8/10 Jeremy Brown <0xjbrown41 () gmail com>I'm guessing your not a Wordpress administrator, Fabio. Nice find Laurent, as usual. On Mon, Aug 10, 2009 at 10:48 PM, laurent gaffie<laurent.gaffie () gmail com> wrote:Oh ok. Then, let's avoid that function. If it's useless to have a function who validate a reset passwd before resetting it, let's just avoid it smartass. 2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2 () gmail com>There is no risk on this. It's just a little flaw, it doesn't broke anything or put your admin access in risk. :-P to me , this vulnerability is more "BUZZ" then real deal. LOL 2009/8/10 laurent gaffie <laurent.gaffie () gmail com>Hi there, This wasn't tested on the 2.7* branch. It as been tested on the 2.8.* branch, with php 5.3.0 & php 5.2.9 as an Apache 2.2.12 module, on a linux env. Regards Laurent Gaffié 2009/8/10 Nicolas Valcárcel Scerpella <nicolas.valcarcel () canonical com>I don't see the issue with wp 2.7.1 On Mon, 10 Aug 2009, laurent gaffie wrote:Errata: "V. BUSINESS IMPACT ------------------------- An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3" --> "V. BUSINESS IMPACT ------------------------- An attacker could exploit this vulnerability to reset the admin account of any wordpress/wordpress-mu <= 2.8.3" Regards Laurent Gaffié 2009/8/10 laurent gaffie <laurent.gaffie () gmail com>============================================= - Release date: August 10th, 2009 - Discovered by: Laurent Gaffié - Severity: Medium ============================================= I. VULNERABILITY ------------------------- WordPress <= 2.8.3 Remote admin reset password II. BACKGROUND ------------------------- WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it. III. DESCRIPTION ------------------------- The way Wordpress handle a password reset looks like this: You submit your email adress or username via this form /wp-login.php?action=lostpassword ; Wordpress send you a reset confirmation like that via email: " Someone has asked to reset the password for the following site and username. http://DOMAIN_NAME.TLD/wordpress Username: admin To reset your password visit the following address, otherwise just ignore this email and nothing will happen http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag " You click on the link, and then Wordpress reset your admin password, and sends you over another email with your new credentials. Let's see how it works: wp-login.php: ...[snip].... line 186: function reset_password($key) { global $wpdb; $key = preg_replace('/[^a-z0-9]/i', '', $key); if ( empty( $key ) ) return new WP_Error('invalid_key', __('Invalid key')); $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key)); if ( empty( $user ) ) return new WP_Error('invalid_key', __('Invalid key')); ...[snip].... line 276: $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login'; $errors = new WP_Error(); if ( isset($_GET['key']) ) $action = 'resetpass'; // validate action so as to default to the login screen if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) ) $action = 'login'; ...[snip].... line 370: break; case 'resetpass' : case 'rp' : $errors = reset_password($_GET['key']); if ( ! is_wp_error($errors) ) { wp_redirect('wp-login.php?checkemail=newpass'); exit(); } wp_redirect('wp-login.php?action=lostpassword&error=invalidkey'); exit(); break; ...[snip ]... You can abuse the password reset function, and bypass the first step and then reset the admin password by submiting an array to the $key variable. IV. PROOF OF CONCEPT ------------------------- A web browser is sufficiant to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=> The password will be reset without any confirmation. V. BUSINESS IMPACT ------------------------- An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3 VI. SYSTEMS AFFECTED ------------------------- All VII. SOLUTION ------------------------- No patch aviable for the moment. VIII. REFERENCES ------------------------- http://www.wordpress.org IX. CREDITS ------------------------- This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com I'd like to shoot some greetz to securityreason.com for them great research on PHP, as for this under-estimated vulnerability discovered by Maksymilian Arciemowicz : http://securityreason.com/achievement_securityalert/38 X. REVISION HISTORY ------------------------- August 10th, 2009: Initial release XI. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Nicolas Valcárcel Security Engineer Custom Engineering Solutions Group Canonical OEM Services Mobile: +511 994 293 200 Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9 DD12 524E C3CD EF58 4970 gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+ 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY= =UdOl -----END PGP SIGNATURE-----_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- If you have questions please let me know. Best regards, - Fábio - IT Manager_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- If you have questions please let me know. Best regards, - Fábio - IT Manager-- follow me @twitter ! : http://twitter.com/laurentgaffie _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- /** CONFIDENTIALITY NOTICE: This message is intended to be viewed only by the listed recipient(s). It may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. Any dissemination, distribution or copying of this message is strictly prohibited without our prior written permission. If you are not an intended recipient, or if you have received this communication in error, please notify us immediately by return e-mail and permanently remove the original message and any copies from your computer and all back-up systems. */ _________________________ g30rg3_x _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password Nicolas Valcárcel Scerpella (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Message not available
- Message not available
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password Jeremy Brown (Aug 10)
- Message not available
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Message not available
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password g30rg3_x (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password Nicolas Valcárcel Scerpella (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)
- Message not available
- Message not available
- Re: WordPress <= 2.8.3 Remote admin reset password laurent gaffie (Aug 10)