Security Information and Review

Collection of security information and review

Wordpress Admin Password Vulnerability and Solutions

Author : Admin

In August 10th, 2009, a vulnerability was reported at Wordpress v2.8.3 which can be exploited by an attacker with a special crafted URL to bypass certain security restrictions.

 

An Attacker can sent request to Wordpress system with a special crafted URL to reset the password of the first user ( usually an Administrator site ) without the correct secret key. As a result of this action, without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. Repeated attacks may allow the attacker to cause persistent denial-of-service conditions.

 

This vulnerability is caused due to a bug within the password reset functionality when verifying the secret key. Wordpress fails to adequately restrict access to the password reset feature. For detail, how Wordpress handle a request to reset password.

http://your-site/wp-login.php?action=lostpassword

with this request, wordpress send a reset confirmation like that via e-mail :

 

Someone has asked to reset the password for the following site and username.
http://your-site
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen
http://your-site/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag

 

If we click this link, Wordpress will reset our admin password and send over another e-mail with new credentials. See detail how it works at wp-login.php source code.

1
2
3
4
5
6
7
8
9
10
11
 
case 'resetpass' :
case 'rp' :
    $errors = reset_password($_GET['key']);
    if ( ! is_wp_error($errors) ) {
        wp_redirect('wp-login.php?checkemail=newpass');
        exit();
    }
    wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
    exit();
break;

We can abuse the password reset function and bypass the step and then reset the admin password. Finalize this action, we can submit an array to the $key variable.

 

Is the solution to fix this vulnerability ? The vendor released updates to fix this issue. So to do, we highly recommended to update to Wordpress v2.8.4.

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Security
If you like this posts, please leave messages / comments.