{"id":2013,"date":"2009-08-12T09:36:08","date_gmt":"2009-08-12T09:36:08","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=2013"},"modified":"2015-09-09T19:37:57","modified_gmt":"2015-09-09T11:37:57","slug":"wordpress-2-8-3-admin-reset-exploit","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2009\/08\/wordpress-2-8-3-admin-reset-exploit\/","title":{"rendered":"WordPress 2.8.3 Admin Reset Exploit"},"content":{"rendered":"

Ah it’s WordPress<\/a> again, sometimes I wonder how many holes there are in WordPress. I guess a dedicated attacker could find some serious ones with the complexity of the code base.<\/p>\n

It’s suspected some of the recent high profile breaches<\/a> have come from WordPress exploits.<\/p>\n

The latest one to become public is a simple but effective flaw, it doesn’t enable take-over but it does allow a prankster to lock an admin out of their blog by resetting the password.<\/p>\n

Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers take over accounts by resetting the administrator password.<\/p>\n

The bug in version 2.8.3 is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required, according to this alert published on the Full-Disclosure mailing list.<\/p>\n

The flaw lurks in some of the PHP code that fails to properly scrutinize user input when the password reset feature is invoked. Exploiting it is as easy is directing a web browser to a link that looks something like:\n<\/p><\/blockquote>\n

I actually saw the alert as it was published on Full-Disclosure, obviously anything to do with WordPress catches my attention.<\/p>\n

The exploit can be executed by running the following code on a WordPress 2.8.3 blog:<\/p>\n

http:\/\/www.domain.com\/wp-login.php?action=rp&key[]=<\/pre>\n
Simple but effective.<\/p>\n