Xanda's Blog !~!

WordPress <= 2.8.3 Remote Admin Reset Password Vulnerability and the Patch

Aug
11

[at the time this entry was posted, this is still a 0day]

[level: medium]

For those who subscribe to Milw0rm’s RSS, you might have read about the WordPress <= 2.8.3 Remote Admin Reset Password Vulnerability earlier.

Let take a look at the vulnerable code in wp-login.php:

wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
    global $wpdb;
 
    $key = preg_replace('/[^a-z0-9]/i', '', $key);
 
    if ( empty( $key ) )
        return new WP_Error('invalid_key', __('Invalid key'));
 
    $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
    if ( empty( $user ) )
        return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();
 
if ( isset($_GET['key']) )
    $action = 'resetpass';
 
// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
    $action = 'login';
...[snip]....
 
line 370:
 
break;
 
case 'resetpass' :
case 'rp' :
    $errors = reset_password($_GET['key']);
 
    if ( ! is_wp_error($errors) ) {
        wp_redirect('wp-login.php?checkemail=newpass');
        exit();
    }
 
    wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
    exit();
 
break;
...[snip ]...

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key
variable.

(Laurent Gaffié)

wanna see some PoC?

http://blog.example.com/wp-login.php?action=rp&key[]=

Hehehe.. ok.. now lets patch it.. change the code in line 188 into the following code

        if(is_array($key)) {
           $key = '';
           return new WP_Error('invalid_key', __('Invalid key'));
        }
        else
	   $key = preg_replace('/[^a-z0-9]/i', '', $key);

Now you are done.

P/S: This is not the official patch from WordPress. So far there is still no patch yet. You can temporarily use this method and please upgrade to the next version of WordPress when the patch is available. If you found that my patch is still vulnerable to this attack, kindly ‘patch’ me in the comment section

Greetz to Laurent Gaffié & Leong Jaan Yeh

Reference:

  • http://www.milw0rm.com/exploits/9410
  • http://my.php.net/is_array

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

New Year – 2009

Jan
01

** full update will be posted later **

I’ve spent the whole new year night to prepare :-

But here are the results :-

  • I gave my Microsoft Window$ XP’s CD to my brother and the backup (ISO) that I have with me is CORRUPTED. I’ve tried with VMWare Server 2 and 1.0.8 and I thought the problem was due to Virtual Machine Disk Format (VMDK) incompatibility, but after using VirtualBox, then only I know that the problem actually came from the ISO file. Haaaihh… What a waste…
  • The automate migration tool from CMS Made Simple to WordPress is finally finished and surprisingly it is 98.33% compatible BUT suddenly I’ve found that WordPress doesn’t have ‘content inheritance’ functionality like CMS Made Simple did… So I have stick with CMS Made Simple… Again… Haaaihh… What a waste…

WordPress 2.5 Has Released

Mar
30

WordPress 2.5, the culmination of six months of work by the WordPress community, people just like you. The improvements in 2.5 are numerous, and almost entirely a result of your feedback: multi-file uploading, one-click plugin upgrades, built-in galleries, customizable dashboard, salted passwords and cookie encryption, media library, a WYSIWYG that doesn’t mess with your code, concurrent post editing protection, full-screen writing, and search that covers posts and pages.

For a short overview of the features with screenshots, it’d be best to visit our sneak peek announcement for RC1. Or check out a 4-minute screencast of the new interface in action. If you just want to jump straight to the good stuff here’s where you can find 2.5 upgrade and download information.

If you want to see everything I would grab a cup of coffee or a mojito, because this post is epic.

User Features

  • Cleaner, faster, less cluttered dashboard
  • Dashboard Widgets
  • Multi-file upload with progress bar
  • Bonus: EXIF extraction
  • Search posts and pages
  • Tag management
  • Password strength meter
  • Concurrent editing protection
  • Few-click plugin upgrades
  • Friendlier visual post editor
  • Built-in galleries

Developer Features

Now for the geeky stuff. While we’re excited about the above features, each one represents a new opportunity or API for other developers to take to another level. (The best of which we’ll someday integrate back into WP.)

  • Salted passwords
  • Secure cookies
  • Easy taxonomy and URL creation
  • Inline documentation
  • Database optimization
  • $wpdb->prepare()
  • Media buttons
  • Shortcode API

[source: WordPress]

Download WordPress 2.5 now and dont forget to update your databe by running the following script :

http://www.your-blog-url.com/wp-admin/update.php