Wordpress version <= 2.8.3 Remote Admin Password Reset Abuse

Thank you Yeh and Adnan for pointing out the admin password reset abuse, and they make their proof of concept by exploiting my wordpress.

I would rate this vulnerability as 3/5 as it only reset the admin password while the reset version of the password send to owner of the wordpress. But, it is necessary to patch your wp-login.php file. You would not know if somehow attacker manage to inject his/her email which later when reset will send reset version of password to the attacker’s email.

At wp.login.php, line 188, change from this line of code


$key = preg_replace('/[^a-z0-9]/i', '', $key);

to


if(is_array($key)) {
$key = '';
return new WP_Error('invalid_key', __('Invalid key'));
}
else
$key = preg_replace('/[^a-z0-9]/i', '', $key);

This serve as temporary counter measure against the password reset abuse until wordpress have fixed this issue.

References:

  1. Adnan – Wordpress <= 2.8.3 Remote Admin Reset Password Vulnerability and the Patch
  2. Milworm – WordPress <= 2.8.3 Remote admin reset password
2009
08/12
CATEGORY
Uncategorized
TAGS

Write comment

  1. No comments yet.

  1. No trackbacks yet.

Spam Protection by WP-SpamFree