Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Exploit Allows Admin Password Reset

Posted by Soulskill on from the probably-the-first-time-most-have-been-changed dept.

Multiple readers have sent word of a vulnerability in WordPress 2.8.3 which allows anyone to lock an admin out of his or her account by resetting the password. "The bug ... is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required." An alert on the Full Disclosure mailing list detailed the vulnerability, and WordPress quickly rolled out version 2.8.4 to address the issue.

12 of 100 comments (clear)

  1. Clarification by Jugalator · · Score: 4, Informative

    For those who don't RTFA, this doesn't give the attacker access to the new, reset, password. That requires access to the admin's mailbox as well. So the link saying "lock an admin out" is a bit, well, not completely true. It could be true if his/her inbox is hacked, but not otherwise.

    --
    Beware: In C++, your friends can see your privates!
    1. Re:Clarification by Jellybob · · Score: 4, Insightful

      Using the special URL, the old password is removed and a new one generated in its place with no confirmation required.

      While you're right in saying the attacker can't access the admin's account, the admin themselves also can't access it, because their password has already been reset to something else, and they'll have to get the new one. It seems more like a minor inconvenience to me, then a massive bug which will end the world, but still a flaw.

    2. Re:Clarification by evanbd · · Score: 5, Insightful

      If I write a script that resets your password every 3 seconds, you'll find it to be more than a minor inconvenience.

    3. Re:Clarification by makomk · · Score: 3, Informative

      RTFA? Did you RTFSummary? The point is that the password is reset but the reset doesn't get sent to the admin email as per usual.

      Except that's not actually what it says, and even if it was TFA states otherwise:

      As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

      The e-mail that doesn't get sent is the one asking the user to confirm they want to reset their password, since that step is bypassed by the exploit.

    4. Re:Clarification by Thaelon · · Score: 4, Funny

      Why wait 3 seconds?

      while true; do lynx -dump <specially crafted URL>; done &

      --

      Question everything

  2. Full disclosure a day after discovery? by SmitherIsGod · · Score: 4, Interesting

    Is that not a bit soon? Especially with wordpress - it's going to be ages before many people update, and it's not a critical problem.

  3. That's why I stopped using Wordpress by krovisser · · Score: 4, Insightful

    I was tired of constantly having security issues and having to upgrade. Isn't there less feature-filled blog app out there that's all lightweight and whatnot?

    1. Re:That's why I stopped using Wordpress by Deanalator · · Score: 3, Insightful

      blogspot

      Unless you have a team of developers and pentesters constantly maintaining your blog, you are better off getting it hosted somehwere else. Any given blog instance that is not properly maintained is only going to remain secure for about 6 months or so. If you, or you and a few people, or even a small company just want a simple blog to post stuff on, and you don't want to hire a staff of infosec monkeys, blogspot is definitely the way to go. The code is maintained by google, and data is redundantly backed up for you for free.

  4. Code is Poetry by pathological+liar · · Score: 3, Interesting

    If Code is Poetry then Wordpress is some 15 year old's notebook scribblings on angst, Twilight and Dashboard Confessional.

    If you're looking for alternatives that don't have gaping security issues with seemingly every release, check out Serendipity.

  5. Re:WordPress is Awesome by dubbreak · · Score: 3, Insightful

    *opens dashboard, presses "Upgrade to 2.8.4" button*

    Fixed. :D

    Not sure why you got modded down (probably just the way you put it). Upgrading Wordpress is trivially easy.

    Exploits happen, and this is a pretty minor one (just an annoyance, not user permission escalation, admin rights etc). They got a fix out quick and it's easy enough to apply.

    --
    "If you are going through hell, keep going." - Winston Churchill
  6. Re:Don't get it by MtlDty · · Score: 3, Informative

    There is a discussion about the vulnerability on StackOverflow

  7. Stupidity by pkretek · · Score: 3, Insightful

    I wonder why somebody would code that part the way they did it. As far as I understand it, they are trying to validate code by blacklisting instead of whitelisting:

    (from http://core.trac.wordpress.org/changeset/11798)
    $key = preg_replace('/[^a-z0-9]/i', '', $key);
    if ( empty( $key ) )
        die();

    If you expect a hash you generated yourself, why don't you test if it preg_matches the spec you used to generate it in the first place? (/^[a-zA-Z0-9]{20}$/ in this case)

    Well that and being naive enough to expect $_GET["key"] to always return a string....