Wordpress unauthenticated administrator password reset

Published: 2009-08-11
Last Updated: 2009-08-12 12:03:41 UTC
by Swa Frantzen (Version: 3)
5 comment(s)

Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows  remote users to reset the administrative password. They all lead to an original post on a full disclosure mailing list.

The attack uses an ability of PHP to not only set values on variables, but also make them arrays.

Basically a GET request can add data like:

http://www.example.com?data

Many environments use the data portion to create variable=value pairs:

http://www.example.com?variable1=value1&variable2=value2

actually the & needs to be encoded as & to create proper html, but many ignore that rule

PHP takes this a notch further by allowing arrays to be created from a GET as well:

http://www.example.com?variable[]=value1&variable[]=value2

PHP being a typeless environment, this means that if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...

A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.

One cannot stress the importance of proper input filtering enough.

The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.

UPDATE:

Wordpress released 2.8.4 to fix the issue.

--
Swa Frantzen -- Section 66

Keywords: wordpress
5 comment(s)

Comments

I'm curious why the went with "fail on empty or is an array":

+ if ( empty( $key ) || is_array( $key ) )

and not "fail on empty or not a string":

+ if ( empty( $key ) || !is_string( $key ) )
This sounds like a realization of the HTTP Parameter Pollution (HPP) mentioned in this OWASP EU09 presentation (PDF): http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
WP 2.8.4 released
Hey, I also got locked out of my computer several days ago. I tried several free software. It took me two days and got quite messy. Unfortunately none of them work for me. Finally I made it work with password genius. The good news is that it works. The bad news is it is not free.
You can try Password Genius. It works for me.

Check this out:
www.password-genius.com/how-to/how-to-recover-my-windows-login-password.html It works for me.

Diary Archives