Tuesday, August 11, 2009 9:23 AM
cmosby
Wordpress unauthenticated administrator password reset – SANS Internet Storm Center
Wordpress unauthenticated administrator password reset
Published: 2009-08-11,
Last Updated: 2009-08-11 13:33:23 UTC
by Swa Frantzen (Version: 1)
0 comment(s) 
acebook 
witter
Juha-Matti pointed out multple reports on a vulnerability in the widely used wordpress blog software that supposedly allows lets remote users reset the administrative password. They all lead to an original post on a full disclosure mailing list.
The attack uses an ability of PHP to not only set values on variables, but also make them arrays.
Basically a GET request can add data like:
http://www.example.com?data
Many environments use the data portion to create variable=value pairs:
http://www.example.com?variable1=value1&variable2=value2
actually the & needs to be encoded as & to create proper html, but many ignore that rule
PHP takes this a notch further by allowing arrays to be created from a GET as well:
http://www.example.com?variable[]=value1&variable[]=value2
PHP being a typeless environment, this means if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...
A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.
One cannot stress the importance of proper input filtering enough.
The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.
--
Swa Frantzen -- Section 66
Filed under: Blogging, Internet Applications, Security, Software Vulnerabilites