Wordpress unauthenticated administrator password reset
Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows remote users to reset the administrative password. They all lead to an original post on a full disclosure mailing list.
The attack uses an ability of PHP to not only set values on variables, but also make them arrays.
Basically a GET request can add data like:
http://www.example.com?data
Many environments use the data portion to create variable=value pairs:
http://www.example.com?variable1=value1&variable2=value2
actually the & needs to be encoded as & to create proper html, but many ignore that rule
PHP takes this a notch further by allowing arrays to be created from a GET as well:
http://www.example.com?variable[]=value1&variable[]=value2
PHP being a typeless environment, this means that if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...
A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.
One cannot stress the importance of proper input filtering enough.
The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.
UPDATE:
Wordpress released 2.8.4 to fix the issue.
--
Swa Frantzen -- Section 66
Comments
+ if ( empty( $key ) || is_array( $key ) )
and not "fail on empty or not a string":
+ if ( empty( $key ) || !is_string( $key ) )
ashcrow
Aug 11th 2009
1 decade ago
Nathan Christiansen
Aug 11th 2009
1 decade ago
GNa
Aug 12th 2009
1 decade ago
windows password missing
Dec 21st 2009
1 decade ago
Check this out:
www.password-genius.com/how-to/how-to-recover-my-windows-login-password.html It works for me.
david walton
Dec 21st 2009
1 decade ago