Howto fix WordPress < = 2.8.3 Remote admin reset password

Posted by HostsVault | Posted in How-To's | Posted on 12-08-2009-05-2008

0

A new exploit has been discovered in WordPress the famous blogging web application , the exploit resets the admin password without the need of the “Password Reset” email the detailed explanation is here , here is the exploited code :

function reset_password($key) {
    global $wpdb;

    $key = preg_replace('/[^a-z0-9]/i', '', $key);

    if ( empty( $key ) )
        return new WP_Error('invalid_key', __('Invalid key'));

    $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
    if ( empty( $user ) )
        return new WP_Error('invalid_key', __('Invalid key'));

Since the key is only checked for being an empty string then if you pass an empty array (which is a different type of variables) we will bypass this step and the password will be reset right away and sent to the admin listed e-mail .

In order to fix this problem edit wp-login.php with your favorite editor and change this lines :

Line 190 in WordPress 2.8.3 or line 169 in earlier 2.8 versions

if ( empty( $key ) )

TO

if ( empty( $key ) || is_array( $key ) )

This will add a check to invalidate passing an array to the $key variable .

Enjoy!

VN:F [1.9.3_1094]
Rating: 5.5/10 (386 votes cast)
VN:F [1.9.3_1094]
Rating: -8 (from 84 votes)
Howto fix WordPress < = 2.8.3 Remote admin reset password, 5.5 out of 10 based on 386 ratings
Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Furl
  • Slashdot
  • StumbleUpon
  • Technorati
Read More

Write a comment