WordPress 2.8.3 Remote Admin Password Reset Vulnerability
Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform. An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu 2.8.3 and older.
The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.
The attack uses an ability of PHP to not only set values on variables, but also make them arrays. Basically a GET request can add data like: http://www.example.com?data
PHP takes this a notch further by allowing arrays to be created from a GET as well:
http://www.example.com?variable[]=value1&variable[]=value2
PHP being a typeless environment, this means that if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string.
A web browser is sufficient to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= The password will be reset without any confirmation.
The “handy” feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.
No patch available for the moment. A fix is in the making and those who use wordpress will see an updated version soon enough.
Credit: SecLists.org
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.