Comments on: WordPress 2.8.3 Admin Reset Exploit

By: dozaaaar

dozaaaar — Thu, 13 Aug 2009 04:46:12 +0000

This attack vector bypasses the empty() checks but does not yeild an empty string as the value in the WHERE clause, rather it yeilds the string ‘Array’…therefore NOT A PROBLEM.

By: free

free — Wed, 12 Aug 2009 19:01:56 +0000

rather annoying exploit, especially if you dont have direct access to the db.
good thing they already fixed it .

By: Brad Kelley

Brad Kelley — Wed, 12 Aug 2009 18:28:00 +0000

I’m not tracking. Which account is it resetting the password on? In my blogs I have the default admin account deleted, so just curious. Can’t tell by a cursory inspection of the code.

By: Kevin Korb

Kevin Korb — Wed, 12 Aug 2009 17:35:47 +0000

@cbrp1r8

I’ll agree and disagree with your comment. PHP does provide the tools to easily soar indeed. It DOES provide the means to check for buildings etc, however it doesn’t enforce, or require you to use them.

You can write crappy code in any language and leave yourself open for attack. Just because PHP lets you get the ball rolling very quickly, doesn’t mean it’s inferior.

I do shutter everytime I have to dive into the wordpress code though. It’s far from elegant and you’d think with the adoption that it has it would be better.

By: cbrp1r8

cbrp1r8 — Wed, 12 Aug 2009 15:30:53 +0000

wordpress…..again…..at least this part of the article was mildly humerous….

“The bigger point he and other observers seem to make is that PHP is the coding equivalent of an everyman

By: GZero

GZero — Wed, 12 Aug 2009 12:32:10 +0000

Of course, this only effectivly locks the admin out when he doesn’t have access to his e-mail address. Or his DB.

Interesting bug. Clever use of PHP’s get/post array notation, but can’t really be considered exploitable to any serious extend.