Security Information and Review

Collection of security information and review

Wordpress Admin Password Vulnerability and Solutions

Author : Admin

In August 10th, 2009, a vulnerability was reported at Wordpress v2.8.3 which can be exploited by an attacker with a special crafted URL to bypass certain security restrictions.

 

An Attacker can sent request to Wordpress system with a special crafted URL to reset the password of the first user ( usually an Administrator site ) without the correct secret key. As a result of this action, without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. Repeated attacks may allow the attacker to cause persistent denial-of-service conditions.

 

This vulnerability is caused due to a bug within the password reset functionality when verifying the secret key. Wordpress fails to adequately restrict access to the password reset feature. For detail, how Wordpress handle a request to reset password.

http://your-site/wp-login.php?action=lostpassword

with this request, wordpress send a reset confirmation like that via e-mail :

 

Someone has asked to reset the password for the following site and username.
http://your-site
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen
http://your-site/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag

 

If we click this link, Wordpress will reset our admin password and send over another e-mail with new credentials. See detail how it works at wp-login.php source code.

1
2
3
4
5
6
7
8
9
10
11
 
case 'resetpass' :
case 'rp' :
    $errors = reset_password($_GET['key']);
    if ( ! is_wp_error($errors) ) {
        wp_redirect('wp-login.php?checkemail=newpass');
        exit();
    }
    wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
    exit();
break;

We can abuse the password reset function and bypass the step and then reset the admin password. Finalize this action, we can submit an array to the $key variable.

 

Is the solution to fix this vulnerability ? The vendor released updates to fix this issue. So to do, we highly recommended to update to Wordpress v2.8.4.

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Security
 

[...] Wordpress Admin Password Vulnerability and Solutions | Web Security Share and [...]

Thank you very much for that good blog post.
14 September 09 at 05:50
thanks, this is definitely what I need for my new website
9 October 09 at 12:06
I usually don’t post on Blogs but ya forced me to, great info.. excellent! … I'll add a backlink and bookmark your site.
10 October 09 at 01:45
Luxuriously I believe that this post is something which insufficiency more notice of your readers.
26 December 09 at 14:01
It was very interesting for me to read the article. Thanx for it. I like such themes and anything that is connected to them. I would like to read more soon. BTW, rather good design you have here, but don’t you think design should be changed from time to time? Katty Watcerson
27 October 10 at 19:02
I was looking for this. Thanks a lot.
22 November 10 at 19:59
thanks, nice post.
19 December 10 at 16:40
Wow! Thank you! I often wanted to write in my site something like that. Can i take component of your post to my blog?
29 December 10 at 18:35
If you like this posts, please leave messages / comments.