CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 11th, 2009

WordPress 2.8.3 Remote Admin Password Reset Vulnerability

Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform. An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu 2.8.3 and older.

The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.

The attack uses an ability of PHP to not only set values on variables, but also make them arrays. Basically a GET request can add data like: http://www.example.com?data

PHP takes this a notch further by allowing arrays to be created from a GET as well:

http://www.example.com?variable[]=value1&variable[]=value2

PHP being a typeless environment, this means that if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string.

A web browser is sufficient to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= The password will be reset without any confirmation.

The “handy” feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.

No patch available for the moment. A fix is in the making and those who use wordpress will see an updated version soon enough.

Credit: SecLists.org

Share this item with others:

More on CyberInsecure:
  • WordPress Cookie Integrity Protection Allows Unauthorized Access
  • WordPress Multiple SQL Injection Vulnerabilities
  • Critical Password-Reset Forgery Vulnerability In Joomla
  • WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack
  • WordPress Parameter Directory Traversal Vulnerability

    • Posted in Mass Web Attacks, Software, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Tuesday, August 11th, 2009 at 6:16 pm and is filed under Mass Web Attacks, Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: WordPress 2.8.3 Remote Admin Password Reset Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »