Selasa, 11 Agustus 2009

WordPress 2.8.3 Password Reset Vulnerability

After the release of the new 2.8.3 security update, WordPress faces a dangerous vulnerability that can lock out blog owners from their admin account. Using the online password reset function, hackers can remotely reset the admin password.

This issue was first reported by Laurent Gaffie on August 11 in a mailing list for Grok. WordPress developers have already been informed and a solution was incorporated in a development version of WordPress.

In a standard situation, for a user to recuperate their password, they will first need to request it via the “Reset password” link. The user will then receive, on the registered email account, a message containing a verification link, which, when clicked, will delete the old password and replace it with a new one. This new password will be sent to the user registered email as well.

By passing an array to the $key value inside the wp-login.php module, the script can be forced to reset the admin password. This hack jumps the email verification step, and so the attack is invisible to the blog's owner. All these actions can be done from a simple browser window.

This vulnerability can be used solely to reset the administrator password and not to remotely break and access the blog platform. It can only be used to lock out administrators from their blog.

The changeset in the development version introduced by WordPress prevents any kind of array to be passed to the $key variable value in wp-login.php

Tidak ada komentar:

Posting Komentar