Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Exploit Allows Admin Password Reset

Posted by Soulskill on from the probably-the-first-time-most-have-been-changed dept.

Multiple readers have sent word of a vulnerability in WordPress 2.8.3 which allows anyone to lock an admin out of his or her account by resetting the password. "The bug ... is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required." An alert on the Full Disclosure mailing list detailed the vulnerability, and WordPress quickly rolled out version 2.8.4 to address the issue.

3 of 100 comments (clear)

  1. Clarification by Jugalator · · Score: 4, Informative

    For those who don't RTFA, this doesn't give the attacker access to the new, reset, password. That requires access to the admin's mailbox as well. So the link saying "lock an admin out" is a bit, well, not completely true. It could be true if his/her inbox is hacked, but not otherwise.

    --
    Beware: In C++, your friends can see your privates!
    1. Re:Clarification by makomk · · Score: 3, Informative

      RTFA? Did you RTFSummary? The point is that the password is reset but the reset doesn't get sent to the admin email as per usual.

      Except that's not actually what it says, and even if it was TFA states otherwise:

      As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

      The e-mail that doesn't get sent is the one asking the user to confirm they want to reset their password, since that step is bypassed by the exploit.

  2. Re:Don't get it by MtlDty · · Score: 3, Informative

    There is a discussion about the vulnerability on StackOverflow