stupid little wordpress vulnerability
August 11th, 2009 by webstersprodigy
http://www.milw0rm.com/exploits/9410
This gave me quite a scare, since I thought by reset it meant to something determinable, which as far as I can tell it doesn’t (it resets it to randomness). Still kind of annoying, since anyone can lock out an administrator or whoever.
Looking at the code
function reset_password($key) {
global $wpdb;
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
// Generate something random for a password...
$new_pass = wp_generate_password();
do_action('password_reset', $user, $new_pass);
really not too terribly awful. The password can be reset to a random value by an unauthenticated person, which is annoying but not devistating unless it’s part of a larger attack (an attacker between you and your weblog for example, might be able to see the unencrypted email or something). A bandaid fix is given by http://www.vul.kr/how-to-fix-wordpress, though it’s not really the right way to secure it (it makes it so there are no arrays, really a whitelist should be used). So testing this out I have screwed up my admin logins, and now must go reset them using sql.
Tags: wordpress
August 11th, 2009 at 17:40
Hopefully I didn’t overlook anything… in the release it specifically says:
An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3
but I don’t see it being “compromised” exactly, unless that just means “annoyed because their password was randomized”.
August 12th, 2009 at 02:10
hahaha. Want to see something awful? They fixed it using an || is_array. http://core.trac.wordpress.org/changeset/11798
Why they didn’t whitelist the sucker is beyond me.