[UNIX] WordPress SQL Column Truncation Vulnerability (PoC)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



WordPress SQL Column Truncation Vulnerability (PoC)
------------------------------------------------------------------------


SUMMARY

A vulnerability in WordPress's way of handling new user registration
allows attackers to create a duplicate 'admin' account whose email address
is set to a value different than the default one. This is then used with
the password recovery mechanism to retrieve the password of the true
'admin' account.

DETAILS

Vulnerable Systems:
* WordPress version 2.6.1

Exploit:
1. Go to URL: server.com/wp-login.php?action=register
2. Register as:
login: admin x (the
user admin[55 space chars]x)
email: your email

Now, we have duplicated 'admin' account in database

3. Go to URL: server.com/wp-login.php?action=lostpassword
4. Write your email into field and submit this form
5. Check your email and go to reset confirmation link
6. Admin's password changed, but new password will be send to correct
admin email


ADDITIONAL INFORMATION

The information has been provided by <mailto:irk4z@xxxxxxxx> irk4z.
The original article can be found at: <http://irk4z.wordpress.com/>
http://irk4z.wordpress.com/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Invision Power Board Multiple Vulnerabilities (Toolbox SQL)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Invision Power Board Multiple Vulnerabilities (Toolbox SQL) ... An attack exists where an admin can be redirected and forced to execute ...
    (Securiteam)
  • [UNIX] Pixelpost Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Pixelpost Multiple Vulnerabilities ... below resides the md5 hash of the admin. ... System Configuration Disclosure ...
    (Securiteam)
  • [NT] SOLDNER Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... arbitrary code under the privileges of the person running the game server, ... warning or messages) therefore the admin cannot easily determine what is ... int main{ ...
    (Securiteam)
  • [EXPL] DeluxeBB Create Admin (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... DeluxeBB Create Admin ... all over the board (like CP logs, Admin Restrictions, Database Backup ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
    (Securiteam)