Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows lets remote users reset the administrative password. They all lead to an original post on a full disclosure mailing list. The attack uses an ability of PHP to not only set values on variables, but also make them arrays. Basically a GET request can add data like: http://www.example.com?data Many environments use the data portion to create variable=value pairs: http://www.example.com?variable1=value1&variable2=value2 actually the & needs to be encoded as & to create proper html, but many ignore that rule PHP takes this a notch further by allowing arrays to be created from a GET as well: http://www.example.com?variable[]=value1&variable[]=value2 PHP being a typeless environment, this means if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ... A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough. One cannot stress the importance of proper input filtering enough. The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility. -- |
Swa 760 Posts Aug 11th 2009 |
Thread locked Subscribe |
Aug 11th 2009 1 decade ago |
I'm curious why the went with "fail on empty or is an array":
+ if ( empty( $key ) || is_array( $key ) ) and not "fail on empty or not a string": + if ( empty( $key ) || !is_string( $key ) ) |
ashcrow 9 Posts |
Quote |
Aug 11th 2009 1 decade ago |
This sounds like a realization of the HTTP Parameter Pollution (HPP) mentioned in this OWASP EU09 presentation (PDF): http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
|
Nathan Christiansen 20 Posts |
Quote |
Aug 11th 2009 1 decade ago |
WP 2.8.4 released
|
Anonymous |
Quote |
Aug 12th 2009 1 decade ago |
Hey, I also got locked out of my computer several days ago. I tried several free software. It took me two days and got quite messy. Unfortunately none of them work for me. Finally I made it work with password genius. The good news is that it works. The bad news is it is not free.
|
Anonymous |
Quote |
Dec 21st 2009 1 decade ago |
You can try Password Genius. It works for me.
Check this out: www.password-genius.com/how-to/how-to-recover-my-windows-login-password.html It works for me. |
Anonymous |
Quote |
Dec 21st 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!