I’m sure that this vulnerability will be fixed almost immediately but because I love WordPress (and WordPress Mu) and use it for tons of blogs, I thought it best to clip the entire post from Martin @ gHacks today.

It looks like it could be used for DDOS attacks but not for access. WordPress (and WordPress Mu) is a piece of excellent code and they are very on top of patches and fixes, so I’m not worried about this at all. Your mileage may vary.

More information can be had here.

The password of my WordPress admin account was not valid when I tried to login today. I first thought it was a problem with the LastPass password manager and tried to see if I was still logged into the service. When I checked my email inbox I noticed that I have received a new password for the account. That was strange since I did not request a new password. It was not that much of a concern to me as I thought that someone might have used the password reset functionality to reset the password which meant that physical access to the new password was not possible.

A new post appeared on the WordPress discussion list today revealing more details about the process. Everyone is apparently able to reset a WordPress password if the email address of the WordPress user is known. All that needs to be done is to point the web browser at http://www.domain.com/wp-login.php?action=lostpassword to reset the password. The email address of the account holder has to be supplied in the form. WordPress usually will send a confirmation email first asking the email account owner if the password should be reset. The vulnerability manipulates the query to skip this step.

It is not possible to exploit this vulnerability further which means attackers cannot get access to the user account. It can however be theoretically be used to reset the password regularly to lock the user or admin out of the WordPress blog.

A temporary fix for the remote admin password reset vulnerability was posted. WordPress administrators need to change one line of code in the wp-login.php file of the WordPress installation to protect their blog from the attack.

Replace

if ( empty( $key ) )

With

if ( empty( $key ) || is_array( $key ) )

It is advised to apply the temporary fix as soon as possible to WordPress installations.
WordPress Remote Admin Password Reset Vulnerability


Additional Coverage:

Sucuri Security: WordPress <= 2.8.3 Remote admin reset password
How to annoy a wordpress admin? By changing his password without confirmation… WordPress
http://blog.sucuri.net

WordPress Remote Admin Password Reset Vulnerability
The password of my WordPress admin account was not valid when I tried to login today. I first thought it was a problem with the LastPass password manager and.
http://www.ghacks.net

WordPress <= 2.8.3 Remote admin reset password | Microsoft Patch Watch
TaskDriver
http://mspatchwatch.com

WordPress vulnerability allows remote admin password reset – The H …
WordPress vulnerability allows remote admin password resetThe HA vulnerability in the current 2.8.3 release of the popular WordPress blogging software can …
http://allaboutwordpress.com

Security-Shell: WordPress 2.8.3 Remote admin reset password
WordPress 2.8.3 Remote admin reset password. The way WordPress handle a password reset looks like this: You submit your email adress or username via this form /wp-login.php?action=lostpassword ;…
http://security-sh3ll.blogspot.com

Laurent Gaffié blog: WordPress <= 2.8.* Remote admin reset password
Remote admin reset password. II. BACKGROUND ————————- WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both…
http://g-laurent.blogspot.com

 
In Soviet Russia, Post's Bookmark YOU!!
  • Facebook
  • Technorati
  • Google Bookmarks
  • StumbleUpon
  • Reddit
  • Yahoo! Buzz
  • Sphinn

Glue Huffing Chickens Picked These Posts:

: gHacks, martin, patch, security, WordPress, wordpress mu