This is just way too exciting! WordPress which is THE CMS of choice for bloggers did has such a big security hole! Someone has found a way to reset the admin password without any confirmation and this can have serious consequences.
The hack is still open and can even be applied to the latest WordPress release 2.8.3
This is how it works:
The normal password reset page asks you to enter the username or email address and if that’s correct then a link is send to the email address associated with that account to reset your password but note that the password itself is not changed and you can just ignore the email and carry on.
But hackers have found a way in which they simply bypass that check and the password is reset by passing a special value in the key parameter of the reset page URL.
This is all you have todo:
Replace domainname with any domain name of a blog hosted on WordPress and see it for yourself!
Don’t waste time trying this on ProgrammerFish.com">ProgrammerFish because I have already secured it.
If you also want to know the fix then better search it yourself or wait for my update and until that time let me test this on some more blogs.
Here is a list of blogs that I have tried this hack on. Sorry guys. You can always restore your passwords though.
2) TechToggle – I really like this blog though
3) TutPlus – Yeah yeah yeah!
5) WordPress Founder’s Personal Blog! ma.tt [Am not sure whether its reset or not but I think it is]
There are a couple others I tried this on and none of them was protected!
Note: I have just tried this as a proof-of-concept and nothing more then that. You will get an email with your new password and can always reset it yourself again. And sorry guys, OpenSource is not the best thing on earth!
Read the detailed fix of this wordpress admin password reset exploit