Mr Fabio, You dont even understand the bug, so please shut the hell up.
2009/8/11 Fabio N Sarmento [ Gmail ] <fabi...@gmail.com> > if this is an bug, please close Twitter.com, MSN.com and other services, > because they have the same stupid "Reset password" service. > > So please make my day, and create a stupid script to flood with mutiple > request to reset password. > > LOL > > 2009/8/10 Jeremy Brown <0xjbrow...@gmail.com> > > I'm guessing your not a Wordpress administrator, Fabio. Nice find >> Laurent, as usual. >> >> On Mon, Aug 10, 2009 at 10:48 PM, laurent >> gaffie<laurent.gaf...@gmail.com> wrote: >> > Oh ok. >> > Then, let's avoid that function. >> > If it's useless to have a function who validate a reset passwd before >> > resetting it, let's just avoid it smartass. >> > >> > >> > 2009/8/10 Fabio N Sarmento [ Gmail ] <fabi...@gmail.com> >> >> >> >> There is no risk on this. >> >> It's just a little flaw, it doesn't broke anything or put your admin >> >> access in risk. >> >> >> >> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL >> >> >> >> 2009/8/10 laurent gaffie <laurent.gaf...@gmail.com> >> >>> >> >>> Hi there, >> >>> >> >>> This wasn't tested on the 2.7* branch. >> >>> It as been tested on the 2.8.* branch, with php 5.3.0 & php 5.2.9 as >> an >> >>> Apache 2.2.12 module, on a linux env. >> >>> >> >>> >> >>> Regards Laurent Gaffié >> >>> >> >>> >> >>> >> >>> 2009/8/10 Nicolas Valcárcel Scerpella < >> nicolas.valcar...@canonical.com> >> >>>> >> >>>> I don't see the issue with wp 2.7.1 >> >>>> >> >>>> On Mon, 10 Aug 2009, laurent gaffie wrote: >> >>>> >> >>>> > Errata: >> >>>> > >> >>>> > "V. BUSINESS IMPACT >> >>>> > ------------------------- >> >>>> > An attacker could exploit this vulnerability to compromise the >> admin >> >>>> > account >> >>>> > of any wordpress/wordpress-mu <= 2.8.3" >> >>>> > >> >>>> > --> >> >>>> > >> >>>> > "V. BUSINESS IMPACT >> >>>> > ------------------------- >> >>>> > An attacker could exploit this vulnerability to reset the admin >> >>>> > account of >> >>>> > any wordpress/wordpress-mu <= 2.8.3" >> >>>> > >> >>>> > >> >>>> > Regards Laurent Gaffié >> >>>> > >> >>>> > >> >>>> > 2009/8/10 laurent gaffie <laurent.gaf...@gmail.com> >> >>>> > >> >>>> > > ============================================= >> >>>> > > - Release date: August 10th, 2009 >> >>>> > > - Discovered by: Laurent Gaffié >> >>>> > > - Severity: Medium >> >>>> > > ============================================= >> >>>> > > >> >>>> > > I. VULNERABILITY >> >>>> > > ------------------------- >> >>>> > > WordPress <= 2.8.3 Remote admin reset password >> >>>> > > >> >>>> > > II. BACKGROUND >> >>>> > > ------------------------- >> >>>> > > WordPress is a state-of-the-art publishing platform with a focus >> on >> >>>> > > aesthetics, web standards, and usability. >> >>>> > > WordPress is both free and priceless at the same time. >> >>>> > > More simply, WordPress is what you use when you want to work with >> >>>> > > your >> >>>> > > blogging software, not fight it. >> >>>> > > >> >>>> > > III. DESCRIPTION >> >>>> > > ------------------------- >> >>>> > > The way Wordpress handle a password reset looks like this: >> >>>> > > You submit your email adress or username via this form >> >>>> > > /wp-login.php?action=lostpassword ; >> >>>> > > Wordpress send you a reset confirmation like that via email: >> >>>> > > >> >>>> > > " >> >>>> > > Someone has asked to reset the password for the following site >> and >> >>>> > > username. >> >>>> > > http://DOMAIN_NAME.TLD/wordpress >> >>>> > > Username: admin >> >>>> > > To reset your password visit the following address, otherwise >> just >> >>>> > > ignore >> >>>> > > this email and nothing will happen >> >>>> > > >> >>>> > > >> >>>> > > >> >>>> > > >> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag >> >>>> > > " >> >>>> > > >> >>>> > > You click on the link, and then Wordpress reset your admin >> password, >> >>>> > > and >> >>>> > > sends you over another email with your new credentials. >> >>>> > > >> >>>> > > Let's see how it works: >> >>>> > > >> >>>> > > >> >>>> > > wp-login.php: >> >>>> > > ...[snip].... >> >>>> > > line 186: >> >>>> > > function reset_password($key) { >> >>>> > > global $wpdb; >> >>>> > > >> >>>> > > $key = preg_replace('/[^a-z0-9]/i', '', $key); >> >>>> > > >> >>>> > > if ( empty( $key ) ) >> >>>> > > return new WP_Error('invalid_key', __('Invalid key')); >> >>>> > > >> >>>> > > $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM >> >>>> > > $wpdb->users WHERE >> >>>> > > user_activation_key = %s", $key)); >> >>>> > > if ( empty( $user ) ) >> >>>> > > return new WP_Error('invalid_key', __('Invalid key')); >> >>>> > > ...[snip].... >> >>>> > > line 276: >> >>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : >> >>>> > > 'login'; >> >>>> > > $errors = new WP_Error(); >> >>>> > > >> >>>> > > if ( isset($_GET['key']) ) >> >>>> > > $action = 'resetpass'; >> >>>> > > >> >>>> > > // validate action so as to default to the login screen >> >>>> > > if ( !in_array($action, array('logout', 'lostpassword', >> >>>> > > 'retrievepassword', >> >>>> > > 'resetpass', 'rp', 'register', 'login')) && false === >> >>>> > > has_filter('login_form_' . $action) ) >> >>>> > > $action = 'login'; >> >>>> > > ...[snip].... >> >>>> > > >> >>>> > > line 370: >> >>>> > > >> >>>> > > break; >> >>>> > > >> >>>> > > case 'resetpass' : >> >>>> > > case 'rp' : >> >>>> > > $errors = reset_password($_GET['key']); >> >>>> > > >> >>>> > > if ( ! is_wp_error($errors) ) { >> >>>> > > wp_redirect('wp-login.php?checkemail=newpass'); >> >>>> > > exit(); >> >>>> > > } >> >>>> > > >> >>>> > > >> >>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey'); >> >>>> > > exit(); >> >>>> > > >> >>>> > > break; >> >>>> > > ...[snip ]... >> >>>> > > >> >>>> > > You can abuse the password reset function, and bypass the first >> step >> >>>> > > and >> >>>> > > then reset the admin password by submiting an array to the $key >> >>>> > > variable. >> >>>> > > >> >>>> > > >> >>>> > > IV. PROOF OF CONCEPT >> >>>> > > ------------------------- >> >>>> > > A web browser is sufficiant to reproduce this Proof of concept: >> >>>> > > >> >>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=> >> <http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=> >> >>>> > > The password will be reset without any confirmation. >> >>>> > > >> >>>> > > V. BUSINESS IMPACT >> >>>> > > ------------------------- >> >>>> > > An attacker could exploit this vulnerability to compromise the >> admin >> >>>> > > account of any wordpress/wordpress-mu <= 2.8.3 >> >>>> > > >> >>>> > > VI. SYSTEMS AFFECTED >> >>>> > > ------------------------- >> >>>> > > All >> >>>> > > >> >>>> > > VII. SOLUTION >> >>>> > > ------------------------- >> >>>> > > No patch aviable for the moment. >> >>>> > > >> >>>> > > VIII. REFERENCES >> >>>> > > ------------------------- >> >>>> > > http://www.wordpress.org >> >>>> > > >> >>>> > > IX. CREDITS >> >>>> > > ------------------------- >> >>>> > > This vulnerability has been discovered by Laurent Gaffié >> >>>> > > Laurent.gaffie{remove-this}(at)gmail.com >> >>>> > > I'd like to shoot some greetz to securityreason.com for them >> great >> >>>> > > research on PHP, as for this under-estimated vulnerability >> >>>> > > discovered by >> >>>> > > Maksymilian Arciemowicz : >> >>>> > > http://securityreason.com/achievement_securityalert/38 >> >>>> > > >> >>>> > > X. REVISION HISTORY >> >>>> > > ------------------------- >> >>>> > > August 10th, 2009: Initial release >> >>>> > > >> >>>> > > XI. LEGAL NOTICES >> >>>> > > ------------------------- >> >>>> > > The information contained within this advisory is supplied >> "as-is" >> >>>> > > with no warranties or guarantees of fitness of use or otherwise. >> >>>> > > I accept no responsibility for any damage caused by the use or >> >>>> > > misuse of this information. >> >>>> > > >> >>>> >> >>>> > _______________________________________________ >> >>>> > Full-Disclosure - We believe in it. >> >>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >>>> > Hosted and sponsored by Secunia - http://secunia.com/ >> >>>> >> >>>> -- >> >>>> Nicolas Valcárcel >> >>>> Security Engineer >> >>>> Custom Engineering Solutions Group >> >>>> Canonical OEM Services >> >>>> Mobile: +511 994 293 200 >> >>>> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9 DD12 524E C3CD EF58 4970 >> >>>> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE >> >>>> >> >>>> -----BEGIN PGP SIGNATURE----- >> >>>> Version: GnuPG v1.4.9 (GNU/Linux) >> >>>> >> >>>> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF >> >>>> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK >> >>>> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk >> >>>> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+ >> >>>> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w >> >>>> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY= >> >>>> =UdOl >> >>>> -----END PGP SIGNATURE----- >> >>>> >> >>> >> >>> >> >>> _______________________________________________ >> >>> Full-Disclosure - We believe in it. >> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> >> >> >> >> -- >> >> >> >> If you have questions please let me know. >> >> Best regards, >> >> - Fábio - IT Manager >> > >> > >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > > If you have questions please let me know. > Best regards, > - Fábio - IT Manager > -- follow me @twitter ! : http://twitter.com/laurentgaffie
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
