Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42872
  • Total Topics: 16081
  • Online Today: 4066
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: WordPress bug turns blogs into puppets  (Read 2539 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
WordPress bug turns blogs into puppets
« on: 12. August 2009., 09:41:10 »


Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers take over accounts by resetting the administrator password.

The bug in version 2.8.3 is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required, according to this alert published on the Full-Disclosure mailing list: http://seclists.org/fulldisclosure/2009/Aug/0113.html

The flaw lurks in some of the PHP code that fails to properly scrutinize user input when the password reset feature is invoked. Exploiting it is as easy is directing a web browser to a link that looks something like:

Code: [Select]
http://domain_name.tld/wp-login.php?action=rp&key[]=

According to WordPress documentation here, the bug has been fixed by changing a single line of code so the program checks to make sure the input supplied for the new password isn't an array: http://core.trac.wordpress.org/changeset/11798
If it is, the user gets an error message and must try again.

That would appear to be the end of it, but security researchers Rafal Los and Mike Bailey wonder aloud here whether it would have made more sense to check instead whether the input is a string: http://preachsecurity.blogspot.com/2009/08/wordpress-bugs-disturbing-vulnerability.html

"Hasty coding?" he asks. "Why take the blacklist vs. whitelist approach?"

The bigger point he and other observers seem to make is that PHP is the coding equivalent of an everyman's jet pack. It allows him to quickly soar into the sky with a minimal amount of training but doesn't necessarily provide the means to check for buildings, planes or other hazards that may greet the user once he gets there.

Of course, all languages are only as good as the person using them. But it's worth posing such questions to anything that's standing between your website and the people out to get it.

Additional details and analysis from Sans and Heise here: http://isc.sans.org/diary.html?storyid=6934 and here: http://www.heise.de/english/newsticker/news/143358

(Register)


Samker's Computer Forum - SCforum.info

WordPress bug turns blogs into puppets
« on: 12. August 2009., 09:41:10 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising