[UNIX] WordPress SQL Column Truncation Vulnerability (PoC)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 9 Sep 2008 08:47:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
WordPress SQL Column Truncation Vulnerability (PoC)
------------------------------------------------------------------------
SUMMARY
A vulnerability in WordPress's way of handling new user registration
allows attackers to create a duplicate 'admin' account whose email address
is set to a value different than the default one. This is then used with
the password recovery mechanism to retrieve the password of the true
'admin' account.
DETAILS
Vulnerable Systems:
* WordPress version 2.6.1
Exploit:
1. Go to URL: server.com/wp-login.php?action=register
2. Register as:
login: admin x (the
user admin[55 space chars]x)
email: your email
Now, we have duplicated 'admin' account in database
3. Go to URL: server.com/wp-login.php?action=lostpassword
4. Write your email into field and submit this form
5. Check your email and go to reset confirmation link
6. Admin's password changed, but new password will be send to correct
admin email
ADDITIONAL INFORMATION
The information has been provided by <mailto:irk4z@xxxxxxxx> irk4z.
The original article can be found at: <http://irk4z.wordpress.com/>
http://irk4z.wordpress.com/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] D-Link DIR-100 Long URL Filter Evasion
- Next by Date: [NT] Apple QuickTime PICT Integer Overflow Vulnerability
- Previous by thread: [NEWS] D-Link DIR-100 Long URL Filter Evasion
- Next by thread: [NT] Apple QuickTime PICT Integer Overflow Vulnerability
- Index(es):
Relevant Pages
|
