Selasa, 11 Agustus 2009

WordPress 2.8.3 Password Reset Vulnerability

After the release of the new 2.8.3 security update, WordPress faces a dangerous vulnerability that can lock out blog owners from their admin account. Using the online password reset function, hackers can remotely reset the admin password.

This issue was first reported by Laurent Gaffie on August 11 in a mailing list for Grok. WordPress developers have already been informed and a solution was incorporated in a development version of WordPress.

In a standard situation, for a user to recuperate their password, they will first need to request it via the “Reset password” link. The user will then receive, on the registered email account, a message containing a verification link, which, when clicked, will delete the old password and replace it with a new one. This new password will be sent to the user registered email as well.

By passing an array to the $key value inside the wp-login.php module, the script can be forced to reset the admin password. This hack jumps the email verification step, and so the attack is invisible to the blog's owner. All these actions can be done from a simple browser window.

This vulnerability can be used solely to reset the administrator password and not to remotely break and access the blog platform. It can only be used to lock out administrators from their blog.

The changeset in the development version introduced by WordPress prevents any kind of array to be passed to the $key variable value in wp-login.php

The line

CODE
if ( empty( $key ) )


was updated with

CODE
if ( empty( $key ) || is_array( $key ) )


For the owners that already have been locked out of their accounts, WordPress has recommended the usage of the “Emergency Password Reset Script.” Administrators using this script need to know their admin account name (if different from standard) and have to upload the script in the same directory as the wp-login.php module. More instructions can be found on the official WordPress “Resetting Your Password” page.

softpedia

Tidak ada komentar:

Posting Komentar