Last Updated: 2009-08-12 12:03:41 UTC
by Swa Frantzen (Version: 3)
Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows remote users to reset the administrative password. They all lead to an original post on a full disclosure mailing list.
The attack uses an ability of PHP to not only set values on variables, but also make them arrays.
Basically a GET request can add data like:
Many environments use the data portion to create variable=value pairs:
actually the & needs to be encoded as & to create proper html, but many ignore that rule
PHP takes this a notch further by allowing arrays to be created from a GET as well:
PHP being a typeless environment, this means that if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...
A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.
One cannot stress the importance of proper input filtering enough.
The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.
Wordpress released 2.8.4 to fix the issue.
Swa Frantzen -- Section 66