[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4b13609c0908101948kf79b176re32b0433c4aa84de@mail.gmail.com>
Date: Mon, 10 Aug 2009 22:48:16 -0400
From: laurent gaffie <laurent.gaffie@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: WordPress <= 2.8.3 Remote admin reset password
Oh ok.
Then, let's avoid that function.
If it's useless to have a function who validate a reset passwd before
resetting it, let's just avoid it smartass.
2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2@...il.com>
There is no risk on this.
> It's just a little flaw, it doesn't broke anything or put your admin access
> in risk.
>
> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>
>
> 2009/8/10 laurent gaffie <laurent.gaffie@...il.com>
>
>> Hi there,
>>
>> This wasn't tested on the 2.7* branch.
>> It as been tested on the 2.8.* branch, with php 5.3.0 & php 5.2.9 as an
>> Apache 2.2.12 module, on a linux env.
>>
>>
>> Regards Laurent Gaffié
>>
>>
>>
>> 2009/8/10 Nicolas Valcárcel Scerpella <nicolas.valcarcel@...onical.com>
>>
>>> I don't see the issue with wp 2.7.1
>>>
>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>>>
>>> > Errata:
>>> >
>>> > "V. BUSINESS IMPACT
>>> > -------------------------
>>> > An attacker could exploit this vulnerability to compromise the admin
>>> account
>>> > of any wordpress/wordpress-mu <= 2.8.3"
>>> >
>>> > -->
>>> >
>>> > "V. BUSINESS IMPACT
>>> > -------------------------
>>> > An attacker could exploit this vulnerability to reset the admin account
>>> of
>>> > any wordpress/wordpress-mu <= 2.8.3"
>>> >
>>> >
>>> > Regards Laurent Gaffié
>>> >
>>> >
>>> > 2009/8/10 laurent gaffie <laurent.gaffie@...il.com>
>>> >
>>> > > =============================================
>>> > > - Release date: August 10th, 2009
>>> > > - Discovered by: Laurent Gaffié
>>> > > - Severity: Medium
>>> > > =============================================
>>> > >
>>> > > I. VULNERABILITY
>>> > > -------------------------
>>> > > WordPress <= 2.8.3 Remote admin reset password
>>> > >
>>> > > II. BACKGROUND
>>> > > -------------------------
>>> > > WordPress is a state-of-the-art publishing platform with a focus on
>>> > > aesthetics, web standards, and usability.
>>> > > WordPress is both free and priceless at the same time.
>>> > > More simply, WordPress is what you use when you want to work with
>>> your
>>> > > blogging software, not fight it.
>>> > >
>>> > > III. DESCRIPTION
>>> > > -------------------------
>>> > > The way Wordpress handle a password reset looks like this:
>>> > > You submit your email adress or username via this form
>>> > > /wp-login.php?action=lostpassword ;
>>> > > Wordpress send you a reset confirmation like that via email:
>>> > >
>>> > > "
>>> > > Someone has asked to reset the password for the following site and
>>> > > username.
>>> > > http://DOMAIN_NAME.TLD/wordpress
>>> > > Username: admin
>>> > > To reset your password visit the following address, otherwise just
>>> ignore
>>> > > this email and nothing will happen
>>> > >
>>> > >
>>> > >
>>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>>> > > "
>>> > >
>>> > > You click on the link, and then Wordpress reset your admin password,
>>> and
>>> > > sends you over another email with your new credentials.
>>> > >
>>> > > Let's see how it works:
>>> > >
>>> > >
>>> > > wp-login.php:
>>> > > ...[snip]....
>>> > > line 186:
>>> > > function reset_password($key) {
>>> > > global $wpdb;
>>> > >
>>> > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>> > >
>>> > > if ( empty( $key ) )
>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>>> > >
>>> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
>>> WHERE
>>> > > user_activation_key = %s", $key));
>>> > > if ( empty( $user ) )
>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>>> > > ...[snip]....
>>> > > line 276:
>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
>>> > > $errors = new WP_Error();
>>> > >
>>> > > if ( isset($_GET['key']) )
>>> > > $action = 'resetpass';
>>> > >
>>> > > // validate action so as to default to the login screen
>>> > > if ( !in_array($action, array('logout', 'lostpassword',
>>> 'retrievepassword',
>>> > > 'resetpass', 'rp', 'register', 'login')) && false ===
>>> > > has_filter('login_form_' . $action) )
>>> > > $action = 'login';
>>> > > ...[snip]....
>>> > >
>>> > > line 370:
>>> > >
>>> > > break;
>>> > >
>>> > > case 'resetpass' :
>>> > > case 'rp' :
>>> > > $errors = reset_password($_GET['key']);
>>> > >
>>> > > if ( ! is_wp_error($errors) ) {
>>> > > wp_redirect('wp-login.php?checkemail=newpass');
>>> > > exit();
>>> > > }
>>> > >
>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>>> > > exit();
>>> > >
>>> > > break;
>>> > > ...[snip ]...
>>> > >
>>> > > You can abuse the password reset function, and bypass the first step
>>> and
>>> > > then reset the admin password by submiting an array to the $key
>>> variable.
>>> > >
>>> > >
>>> > > IV. PROOF OF CONCEPT
>>> > > -------------------------
>>> > > A web browser is sufficiant to reproduce this Proof of concept:
>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>>> <http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>>> > > The password will be reset without any confirmation.
>>> > >
>>> > > V. BUSINESS IMPACT
>>> > > -------------------------
>>> > > An attacker could exploit this vulnerability to compromise the admin
>>> > > account of any wordpress/wordpress-mu <= 2.8.3
>>> > >
>>> > > VI. SYSTEMS AFFECTED
>>> > > -------------------------
>>> > > All
>>> > >
>>> > > VII. SOLUTION
>>> > > -------------------------
>>> > > No patch aviable for the moment.
>>> > >
>>> > > VIII. REFERENCES
>>> > > -------------------------
>>> > > http://www.wordpress.org
>>> > >
>>> > > IX. CREDITS
>>> > > -------------------------
>>> > > This vulnerability has been discovered by Laurent Gaffié
>>> > > Laurent.gaffie{remove-this}(at)gmail.com
>>> > > I'd like to shoot some greetz to securityreason.com for them great
>>> > > research on PHP, as for this under-estimated vulnerability discovered
>>> by
>>> > > Maksymilian Arciemowicz :
>>> > > http://securityreason.com/achievement_securityalert/38
>>> > >
>>> > > X. REVISION HISTORY
>>> > > -------------------------
>>> > > August 10th, 2009: Initial release
>>> > >
>>> > > XI. LEGAL NOTICES
>>> > > -------------------------
>>> > > The information contained within this advisory is supplied "as-is"
>>> > > with no warranties or guarantees of fitness of use or otherwise.
>>> > > I accept no responsibility for any damage caused by the use or
>>> > > misuse of this information.
>>> > >
>>>
>>> > _______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> --
>>> Nicolas Valcárcel
>>> Security Engineer
>>> Custom Engineering Solutions Group
>>> Canonical OEM Services
>>> Mobile: +511 994 293 200
>>> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9 DD12 524E C3CD EF58 4970
>>> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>
>>> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
>>> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
>>> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
>>> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
>>> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
>>> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
>>> =UdOl
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
>
> If you have questions please let me know.
> Best regards,
> - Fábio - IT Manager
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists