Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Technology

WordPress Exploit Allows Admin Password Reset 100

Multiple readers have sent word of a vulnerability in WordPress 2.8.3 which allows anyone to lock an admin out of his or her account by resetting the password. "The bug ... is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required." An alert on the Full Disclosure mailing list detailed the vulnerability, and WordPress quickly rolled out version 2.8.4 to address the issue.
This discussion has been archived. No new comments can be posted.

WordPress Exploit Allows Admin Password Reset

Comments Filter:
  • Clarification (Score:5, Informative)

    by Jugalator ( 259273 ) on Wednesday August 12, 2009 @10:08AM (#29038631) Journal

    For those who don't RTFA, this doesn't give the attacker access to the new, reset, password. That requires access to the admin's mailbox as well. So the link saying "lock an admin out" is a bit, well, not completely true. It could be true if his/her inbox is hacked, but not otherwise.

    • Re:Clarification (Score:5, Insightful)

      by Jellybob ( 597204 ) on Wednesday August 12, 2009 @10:10AM (#29038665) Journal

      Using the special URL, the old password is removed and a new one generated in its place with no confirmation required.

      While you're right in saying the attacker can't access the admin's account, the admin themselves also can't access it, because their password has already been reset to something else, and they'll have to get the new one. It seems more like a minor inconvenience to me, then a massive bug which will end the world, but still a flaw.

      • Re:Clarification (Score:5, Insightful)

        by evanbd ( 210358 ) on Wednesday August 12, 2009 @10:53AM (#29039301)
        If I write a script that resets your password every 3 seconds, you'll find it to be more than a minor inconvenience.
      • That's why you should always setup an alternate login with Administrator access. I never use the actual admin login myself - still, I just did the upgrade.
      • Can't the administrator use the same hack to change the password again, regaining access?

        • by rednip ( 186217 )

          Can't the administrator use the same hack to change the password again, regaining access?

          For the same reason why this crack only locks out an administrator, rather than capturing the account; one would have to encrypt their new password using the same algorithm as the application.

      • Re: (Score:3, Informative)

        by Tumbleweed ( 3706 ) *

        > Using the special URL, the old password is removed and a new one generated in its place with no confirmation required.

        While you're right in saying the attacker can't access the admin's account, the admin themselves also can't access it, because their password has already been reset to something else, and they'll have to get the new one. It seems more like a minor inconvenience to me, then a massive bug which will end the world, but still a flaw.

        The admin still gets the password change notification, tho

        • Just because no one has pointed it out, the administrator also likely either has access to the database or knows someone who does. Even if you don't have the ability to utilize the SAME algorithm that Wordpress uses (Which unless they did something special that most PHP programmers don't do, it's most likely just MD5), it's not hard to create an additional user that you DO know the password to and then do UPDATE wp_users SET password=(SELECT password from wp_users where user_id=knownpwid) where user_id=admi
    • Comment removed based on user account deletion
    • Comment removed based on user account deletion
    • RTFA? Did you RTFSummary? The point is that the password is reset but the reset doesn't get sent to the admin email as per usual. Yes, the attacker can't get the password, but the admin doesn't get it either.
      • by genner ( 694963 )

        RTFA? Did you RTFSummary? The point is that the password is reset but the reset doesn't get sent to the admin email as per usual. Yes, the attacker can't get the password, but the admin doesn't get it either.

        So, you just need to reset the password again using normal means.

      • Re:Clarification (Score:4, Informative)

        by makomk ( 752139 ) on Wednesday August 12, 2009 @01:14PM (#29041551) Journal

        RTFA? Did you RTFSummary? The point is that the password is reset but the reset doesn't get sent to the admin email as per usual.

        Except that's not actually what it says, and even if it was TFA states otherwise:

        As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.

        The e-mail that doesn't get sent is the one asking the user to confirm they want to reset their password, since that step is bypassed by the exploit.

  • by SmitherIsGod ( 914108 ) <SmitherIsGod@gmail.com> on Wednesday August 12, 2009 @10:13AM (#29038719)
    Is that not a bit soon? Especially with wordpress - it's going to be ages before many people update, and it's not a critical problem.
    • by wytcld ( 179112 )

      Since updating Wordpress is just a matter of pushing a button on the administrative screen, even being lazy is little reason not to go ahead.

      • by Krischi ( 61667 )

        Except that new versions have become more memory-hungry, and any sysadmin worth his money will limit the amount of memory that a PHP script is allowed to take. If it is insufficient for the new version, the automatic upgrade will just fail silently. Not so good.

  • by Anonymous Coward

    That's funny, my copy of Wordpress is not vulnerable to this issue. Oh wait, I tweaked things so that all of the logins and the like go over a separate, password-protected SSL connection. https://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= just won't work :) Obviously this won't work if you let arbitrary users login to your wordpress account.

    • And how did you manage to get wordpress to not insist on redirecting everything to a single host?

  • by krovisser ( 1056294 ) * on Wednesday August 12, 2009 @10:41AM (#29039111)
    I was tired of constantly having security issues and having to upgrade. Isn't there less feature-filled blog app out there that's all lightweight and whatnot?
    • drupal

    • by BitHive ( 578094 )

      Radiant CMS [radiantcms.org]

    • by Deanalator ( 806515 ) <pierce403@gmail.com> on Wednesday August 12, 2009 @11:41AM (#29040127) Homepage

      blogspot

      Unless you have a team of developers and pentesters constantly maintaining your blog, you are better off getting it hosted somehwere else. Any given blog instance that is not properly maintained is only going to remain secure for about 6 months or so. If you, or you and a few people, or even a small company just want a simple blog to post stuff on, and you don't want to hire a staff of infosec monkeys, blogspot is definitely the way to go. The code is maintained by google, and data is redundantly backed up for you for free.

      • #1 I tend not to trust blogspot so much, for the same reason that I never trusted geocities sites back in the day. #2 Blogspot is blocked in a lot of places. I hate when someone sends me a link in a breezy tone, never thinking that it might not be accessible everywhere.
        • by m50d ( 797211 )
          Blogspot is blocked in a lot of places. I hate when someone sends me a link in a breezy tone, never thinking that it might not be accessible everywhere.

          You deserve that one. If you can't access arbitrary locations on the internet, that's your own fault for sucking. What's the alternative, I should always copy-paste a complete website rather than sending a link?

          • Uh, my own fault? By defintion, a blocked site is beyond my (or anyone's) control. The alternative is to use websites that everyone can access, rather than the self-defeating behavior of limiting information to people with the luxury of unlimited internet access.
            • by m50d ( 797211 )
              Uh, my own fault? By defintion, a blocked site is beyond my (or anyone's) control.

              If your ISP isn't giving you internet access, unfiltered, then that's your fault for not getting a better one. Likewise for your employer.

              The alternative is to use websites that everyone can access

              Which I'm supposed to figure out how? I should hack into all my friends' networks and read their blocklists before sending them anything?

            • I have a hard time understanding the concept of a site being blocked.

              If a website that you are supposed to be able to see is blocked, then complain, move, or bounce past the blockage.

    • I run a site on Wordpress and managing the software updates has never been a big deal for me. I have shell access at my hosting provider, so I initially just installed Wordpress using CVS. Every time they rolled out a new bugfix, I just ran a little shell script like: "update "

      With recent versions of Wordpress, though, you don't even need to do that. When a new update is available, an alert appears on your admin dashboard. From there, you can actually click a button and have the system download the update a

    • Try Movable Type. It's maybe not what I'd really call "lightweight", but it isn't huge either.

    • by skeeto ( 1138903 )

      I use blosxom [sourceforge.net], which is extremely lightweight. The only way to get lighter is to have a static blog. It's only about 800 lines of Perl in a single script, so anyone who knows a little programming can easily become intimate with it. Many people who use it, including me, slowly modify it over time [plover.com] to fit our needs, molding it like a piece of putty. Its small size, with its worse is better [plover.com] tradeoffs, makes it pretty robust in terms of security, because there isn't any complexity in which to have vulnerabilitie

    • by skeeto ( 1138903 )

      To reply again with another tool,

      There's a neat blog generator called Thingamablog [sourceforge.net], which generates a static blog, and therefore has no vulnerabilities itself. Write entries offline, generate the static HTML, then sync that up to the server. Because there is no dynamic content, it works for hosts that only serve static content (like on Freenet, which can only "host" static pages) and minimizes the work done by the server. It's still pretty feature rich, with categories, and good navigation.

      The downside lack

    • Why has nobody mentioned Habari? It's designed effectively as a less bloated version of WP. http://habariproject.org/ [habariproject.org]
  • Thanks for the notice. I just logged in and upgraded mine. Now to do the other sites later tonight.
    • Re: (Score:3, Funny)

      by D Ninja ( 825055 )

      Now to do the other sites later tonight.

      What, by chance, is the web addresses for your other sites.

      No particular reason why I'm wondering. Just...um...want to read your blogs...

  • Code is Poetry (Score:4, Interesting)

    by pathological liar ( 659969 ) on Wednesday August 12, 2009 @11:14AM (#29039685)

    If Code is Poetry then Wordpress is some 15 year old's notebook scribblings on angst, Twilight and Dashboard Confessional.

    If you're looking for alternatives that don't have gaping security issues with seemingly every release, check out Serendipity [s9y.org].

    • Thy yonder Polygon, abstract yet concrete. From you the children of my loin spawn, deriving, overriding, and perfecting the methods of beauty you have defined. From thy concepts yee encapsulate the very essence of area and parameter, yet remain pure without implimentation. Still yet, thy dynamic children are best left outside of inner loops because virtual table lookups hurt performance. Oh, the resolve of thy methods, the polymorphism of thy soul.
    • It seems that most PHP apps have this problem because they encourage a "macro script" mentality.

      Perl FTW.

  • *opens dashboard, presses "Upgrade to 2.8.4" button*

    Fixed. :D

    • by dubbreak ( 623656 ) on Wednesday August 12, 2009 @01:56PM (#29042169)

      *opens dashboard, presses "Upgrade to 2.8.4" button*

      Fixed. :D

      Not sure why you got modded down (probably just the way you put it). Upgrading Wordpress is trivially easy.

      Exploits happen, and this is a pretty minor one (just an annoyance, not user permission escalation, admin rights etc). They got a fix out quick and it's easy enough to apply.

  • I'm not a PHP expert, but why does this work?

    $key = preg_replace('/[^a-z0-9]/i', '', $key);

    if ( empty( $key ) )
    return new WP_Error('invalid_key', __('Invalid key'));

    $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
    user_activation_key = %s", $key));
    if ( empty( $user ) )

  • for the password reset. You enter the Admin's user ID and click on a "Forgot password" button or link and it emails a new password to the email the Admin uses.

    Some software like Scoop has it and the new password is only good for a few days or so, in case the user or admin didn't request a new password and it allows the old password to work until the new password is used. Only the new password is emailed to the email address on file.

    Now if it showed the new password on the web page, that would be locking out

  • PHP is to blame (Score:3, Informative)

    by sverrehu ( 22545 ) on Wednesday August 12, 2009 @02:20PM (#29042521) Homepage
    It appears that PHP, upon seeing an incoming parameter with a name that ends in [something] (where something may be empty), automatically turns that variable into an array.

    How many of you PHP developers out there knew that? I didn't. And I had to dig quite a bit to find a reference to this behaviour in the docs.

    So, incoming stuff from the URL or the POST data are no longer strings all the time. Can they magically become other things than strings and arrays as well? Maybe not now, but what if some PHP developer thinks up another "nifty" feature _after_ I read the docs; how then am I supposed to protect my application in the future? Do I need to re-read the docs every time I upgrade PHP?

    And is there a way to turn this "we know better than you what you need"-behaviour off?

    I'm sick of seing framework developers add "nifty" features that you have to know about in order to write secure code. It's not only PHP, but also several highly popular Java frameworks that I work with these days. Some of them make it quite easy to write to object fields that are normally out of reach of the input fields in a form.

    I want a framework that makes it impossible to make mistakes, and where you have to _enable_ potentially dangerous features when you _know_ you need them, rather than _disable_ potentially dangerous features most people don't know about (or use).
    • I must admit that I didn't, and it is bothering me a bit. As I was reading the disclosure, before I got the the example, I did kind of think maybe the bug was going to be something like:

      http://example.com/reset.php?key=&key=
      If it had been that, that would (to my mind) be more reasonable for it ($_GET['key]) to return an array, but yeah, the square brackets = an array is totally new to me.

      PHP seems to be full of far far too much "helpful" crap like this!
    • I actually thought the ability to pass an array via a query string was actually more part of the HTTP standard than something that was developed especially for PHP.
  • Stupidity (Score:3, Insightful)

    by pkretek ( 247414 ) on Wednesday August 12, 2009 @03:57PM (#29043907)

    I wonder why somebody would code that part the way they did it. As far as I understand it, they are trying to validate code by blacklisting instead of whitelisting:

    (from http://core.trac.wordpress.org/changeset/11798 [wordpress.org])
    $key = preg_replace('/[^a-z0-9]/i', '', $key);
    if ( empty( $key ) )
        die();

    If you expect a hash you generated yourself, why don't you test if it preg_matches the spec you used to generate it in the first place? (/^[a-zA-Z0-9]{20}$/ in this case)

    Well that and being naive enough to expect $_GET["key"] to always return a string....

    • Re: (Score:3, Informative)

      by Skadet ( 528657 )
      Right, I wondered myself why there was no validate_key_is_valid() function, or even a simple cast for that matter. $key = (string)$key.

      On the other hand, this isn't exactly PHP's fault (or MySQL's, for that matter). The query:

      $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));

      They're selecting a row (the user) by a column (user_activation_key) that can be blank. Not NULL but literally an empty string. Bad.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...