Wordpress unauthenticated administrator password reset
Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows remote users to reset the administrative password. They all lead to an original post on a full disclosure mailing list.
The attack uses an ability of PHP to not only set values on variables, but also make them arrays.
Basically a GET request can add data like:
http://www.example.com?data
Many environments use the data portion to create variable=value pairs:
http://www.example.com?variable1=value1&variable2=value2
actually the & needs to be encoded as & to create proper html, but many ignore that rule
PHP takes this a notch further by allowing arrays to be created from a GET as well:
http://www.example.com?variable[]=value1&variable[]=value2
PHP being a typeless environment, this means that if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...
A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.
One cannot stress the importance of proper input filtering enough.
The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.
UPDATE:
Wordpress released 2.8.4 to fix the issue.
--
Swa Frantzen -- Section 66
