Password-reset flaw haunts WordPress admins
Summary: Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.
Researchers are sounding the alarm for a serious administrator password-reset vulnerability affecting the latest version of WordPress, the popular open-source blog publishing platform.
The flaw, which can be exploited via the browser, gives an attacker a trivial way to compromise the admin account of any WordPress of WordPress MU (multiple user) installation.
Proof-of-concept code demonstrating the problem is publicly available. A patch is currently being prepared for release soon.
Swa Frantzen, an incident handler at the SANS Internet Storm Center has a detailed explanation of the problem.
UPDATE (August 12, 2009): WordPress has shipped a fix for this "very annoying" problem.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Open source and PHP at its worst
That "language" (I use that term in the broadest sense here) is accident upon accident, quirk upon quirk, patch upon patch.
PHP is a complete mess without a single guiding vision other than to allow cowboy coders to whip up insecure and unstable sites with no knowledge of programming. I could write a book about the stupid decisions in PHP.
While WordPress is one of the absolutely most insecure webapps ever written (it has been <i>plagued</i> by faults such as this), you can somewhat forgive the WP developers for this one. PHP has a bad and misguided behavior allowing arrays to be injected into parameters. Combined with weak and dynamic typing you <i>really</i> need to know all the quirks of PHP to avoid mistakes such as this.
So I see you haven't written a line of PHP yourself...
I'll give you this. It did get a bad rap from being easily accessible and easy to learn. But its hard to master like any of the real hardcore languages...C/C++ etc. For those of us that KNOW how to write code its a great and flexible language. For those that don't know how I suggest you learn or go to one of those platforms that codes for you.
What about making it harder to learn?
It doesn't need to be harder to learn.
As for the WordPress developers I'm accusing them of nothing. They made a mistake like developers on every project using every language/platform have made since the beginning of software. Blaming the language is not the answer.
I understand..
The problem is more about accesibility than anything.
The problem is definitely with the language, PHP
Case in point: Variable interpolation. On the surface it is an immensely useful feature. Pity it is so dangerous to use in a public faced application. For a long time PHP MySql libraries didn't even <i>support</i> parameterized queries. So string concatenation and (especially) variable interpolation were the preferred ways to synthesize SQL queries. Any sane developer will tell you what that can lead to. Today parameterized queries <i>are</i> supported, but they are still much harder to write than simple variable interpolation. So PHP programmers *still* churn out script after script with SQL injection vulnerabilities.
The <i>really</i> smart PHP developers even used variable interpolation in require/include. That way you can easily get started with a homebrewed CMS: You just pass the "page" name as a querystring parameter and use variable interpolation to include the "meat" of the page. Pretty neat. Unfortunately (at least until recently) PHP allowed you to include/require scripts from remote locations over http. So now you not just have SQL injections, now an attacker can <i>include scripts of his own choosing</i> and execute on your box. Genius!
And pray tell which language....
Language makes no difference. You can churn out insecure stuff in any language. The difference with PHP was the availability of hosting and the ease in setting up your down dev environment that mirrored the production environment of the big boys. Anybody with the slightest inkling to program could do so and release their projects.
Oh my, I've written more PHP than you've eaten peas
It is a horrible language. This vulnerability is just one example of how the weak typing gets you time after time after time.
Register globals, addslashes, magic quotes, unparameterized queries, include/require over http, variable interpolation.
Puzzle, what is the value of this expression:
5=="5ucks"
Nah, the numeric literal 5 cannot possible be equal to a string. But YES, the above expression actually evaluates to true!
What!!!
Explanation
In the PHP developers wisdom this means that they'll try to convert the string "5ucks" into a numeric value.
And how do they do that? Well, they parse the string, of course. Again, in their infinite wisdom they just <i>stop parsing</i> when they reach a non-numeric character. They don't throw an error or anything, because <i>that would make parsing harder</i>. So once the parser reaches the "u" character it stops. It already read the digit "5" so it converts that to a numeris.
And ofcourse, 5==5, to the expression is true.
PHP is full of such strangeness.
Of course, somebody realized this to be a problem and sought a solution:
<i>They invented yet another equality compare operator, the triple ===</i>. Genius. This operator only returns true if the two operands also are of the same type!
Thanks
Too much power for some people....
You weren't allowed to rely on the compiler to find your errors. You could do it for assignments but when tests came they were done by hand on paper. If you had an error as simple as leaving off a semicolon on the first line of C code then you failed because the rest of the application would not execute if compiled. You had to be able to step through logic yourself....not stepping through the debugger.
So for me things such as what you have described are wonderful. It would have saved me a ton of time yesterday dealing with type differences in a Java based ETL solution. In fact today I'm about to move some of this stuff to Groovy to cut back on so much Integer.Parse() and the like. When you know how to use these features they are great. If you need something to tell you where you have errored then they are stumbling block. Simple as that.
You probably have...
Everything you listed is optional. If you use it in an insecure way that's your fault. If you need the language to help you code securely then use a framework like Zend or use another platform all together. But don't punish the people that know how to be meticulous with their code just because some people can't. If we did that there would be no computer industry because everything from C/C++ on down would be banned.
And for your example you do know that if you wanted to check type as well that you use "===" right?
Here is how you can patch this manually
wordpress-password-reset/
Not really compromising the admin account
Along these same lines, note the errata posted here: http://seclists.org/fulldisclosure/2009/Aug/0115.html
"An attacker could exploit this vulnerability to reset the admin account of any wordpress/wordpress-mu <= 2.8.3"
RE: Password-reset flaw haunts WordPress admins
<a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>