Security Information and Review

Collection of security information and review

Wordpress Admin Password Vulnerability and Solutions

Author : Admin

In August 10th, 2009, a vulnerability was reported at Wordpress v2.8.3 which can be exploited by an attacker with a special crafted URL to bypass certain security restrictions.

An Attacker can sent request to Wordpress system with a special crafted URL to reset the password of the first user ( usually an Administrator site ) without the correct secret key. As a result of this action, without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. Repeated attacks may allow the attacker to cause persistent denial-of-service conditions.

This vulnerability is caused due to a bug within the password reset functionality when verifying the secret key. Wordpress fails to adequately restrict access to the password reset feature. For detail, how Wordpress handle a request to reset password.

http://your-site/wp-login.php?action=lostpassword

with this request, wordpress send a reset confirmation like that via e-mail :

Someone has asked to reset the password for the following site and username.
http://your-site
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen
http://your-site/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag

If we click this link, Wordpress will reset our admin password and send over another e-mail with new credentials. See detail how it works at wp-login.php source code.

 
case 'resetpass' :
case 'rp' :
    $errors = reset_password($_GET['key']);
    if ( ! is_wp_error($errors) ) {
        wp_redirect('wp-login.php?checkemail=newpass');
        exit();
    }
    wp_redirect('wp-login.php?action=lostpassword&amp;error=invalidkey');
    exit();
break;

We can abuse the password reset function and bypass the step and then reset the admin password. Finalize this action, we can submit an array to the $key variable.

Is the solution to fix this vulnerability ? The vendor released updates to fix this issue. So to do, we highly recommended to update to Wordpress v2.8.4.

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.

November 15, 2009 -- Wordpress 2.8.5 XSS and File Upload Vulnerability (3)
May 20, 2009 -- Wordpress Security File Permission (1)

Categories: Web Security

Tags: wordpress - wordpress security - wordpress vulnerability

13 August 2009 at 03:03 - Comments

Wordpress Admin Password Vulnerability and Solutions | Web Security | Hack In The Box at 04:38 on 13 August 2009

[...] Wordpress Admin Password Vulnerability and Solutions | Web Security Share and [...]

mcdonalds coupons :

Thank you very much for that good blog post.

14 September 09 at 05:50

china wholesale :

thanks, this is definitely what I need for my new website

9 October 09 at 12:06

Bill Bartmann :

I usually don’t post on Blogs but ya forced me to, great info.. excellent! … I'll add a backlink and bookmark your site.

10 October 09 at 01:45

Vigrx :

Luxuriously I believe that this post is something which insufficiency more notice of your readers.

26 December 09 at 14:01

Katty Watcerson :

It was very interesting for me to read the article. Thanx for it. I like such themes and anything that is connected to them. I would like to read more soon. BTW, rather good design you have here, but don’t you think design should be changed from time to time? Katty Watcerson

27 October 10 at 19:02