Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Wordpress unauthenticated administrator password reset - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Wordpress unauthenticated administrator password reset

Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows lets remote users reset the administrative password. They all lead to an original post on a full disclosure mailing list.

The attack uses an ability of PHP to not only set values on variables, but also make them arrays.

Basically a GET request can add data like:

http://www.example.com?data

Many environments use the data portion to create variable=value pairs:

http://www.example.com?variable1=value1&variable2=value2

actually the & needs to be encoded as & to create proper html, but many ignore that rule

PHP takes this a notch further by allowing arrays to be created from a GET as well:

http://www.example.com?variable[]=value1&variable[]=value2

PHP being a typeless environment, this means if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...

A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.

One cannot stress the importance of proper input filtering enough.

The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.

--
Swa Frantzen -- Section 66

Swa

760 Posts
I'm curious why the went with "fail on empty or is an array":

+ if ( empty( $key ) || is_array( $key ) )

and not "fail on empty or not a string":

+ if ( empty( $key ) || !is_string( $key ) )
ashcrow

9 Posts
This sounds like a realization of the HTTP Parameter Pollution (HPP) mentioned in this OWASP EU09 presentation (PDF): http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
Nathan Christiansen

20 Posts
WP 2.8.4 released
Anonymous
Hey, I also got locked out of my computer several days ago. I tried several free software. It took me two days and got quite messy. Unfortunately none of them work for me. Finally I made it work with password genius. The good news is that it works. The bad news is it is not free.
Anonymous
You can try Password Genius. It works for me.

Check this out:
www.password-genius.com/how-to/how-to-recover-my-windows-login-password.html It works for me.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!