SANS ISC: Wordpress unauthenticated administrator password reset - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Juha-Matti pointed out multiple reports on a vulnerability in the widely used wordpress blog software that supposedly allows lets remote users reset the administrative password. They all lead to an original post on a full disclosure mailing list.

The attack uses an ability of PHP to not only set values on variables, but also make them arrays.

Basically a GET request can add data like:

http://www.example.com?data

Many environments use the data portion to create variable=value pairs:

http://www.example.com?variable1=value1&variable2=value2

actually the & needs to be encoded as & to create proper html, but many ignore that rule

PHP takes this a notch further by allowing arrays to be created from a GET as well:

http://www.example.com?variable[]=value1&variable[]=value2

PHP being a typeless environment, this means if you process variables submitted by a user, the developer needs to be careful not to be fed an array by an attacker instead of the expected string ...

A fix is in the making here: http://core.trac.wordpress.org/changeset/11798. So I guess those who use wordpress will see an updated version soon enough.

One cannot stress the importance of proper input filtering enough.

The "handy" feature to submit an array in a GET request might well be ignored by many other developers beyond those at wordpress, so if you wrote PHP code yourself, best verify for this possibility.

--
Swa Frantzen -- Section 66