Internet Storm Center

Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows  remote users to reset the administrative password. They all lead to an original post on a full disclosure mailing list.

The attack uses an ability of PHP to not only set values on variables, but also make them arrays.

Basically a GET request can add data like:

http://www.example.com?data

Many environments use the data portion to create variable=value pairs:

http://www.example.com?variable1=value1&variable2=value2

actually the & needs to be encoded as & to create proper html, but many ignore that rule

PHP takes this a notch further by allowing arrays to be created from a GET as well:

http://www.example.com?variable[]=value1&variable[]=value2

PHP being a typeless environment, this means that if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...

A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.

One cannot stress the importance of proper input filtering enough.

The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.

UPDATE:

Wordpress released 2.8.4 to fix the issue.

--
Swa Frantzen -- Section 66