Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2010

Help Centre

Reporting Channels

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2008

MA-139.092008 : MyCERT Special Alert - Vulnerability in WordPress blog publishing application

Original Issue Date: 23rd September 2008

1.0 Introduction

WordPress had announced a critical vulnerability that involves WordPress (2.6.1 and lower) leads to the possibility of an attacker to get hold of a user account by resetting the password. The attacker could manipulate the vulnerability to guess automatically generated password.

2.0 Impact

The vulnerability lies with MySQL column transaction problem that will lead to the resetting of passwords of users in WordPress to random strings.

The chronology of the MySQL column transaction vulnerability being utilized is as follows:

If the blog allows open registration , the attacker can register the username 'admin' + 55 times ' ' + 'x' to register a new user that will end up as 'admin' + 55 times ' ' in the database [1].
Attacker invokes a password reset.
WordPress will then issue random password reset token.
The token will be written to the Database as current reset token for the attacker, as well as for the authorized administrator. This is due to the MySQL column transaction vulnerability.
The password reset token is sent to the attacker only, as he was the one who reset the password.
If the password reset token is being used, WordPress then will reset the first owner in the database (authorized administrator).
Auto generating password will then be submitted to the authorized administrator and he will only notice that when he checks his email.
By the time he checks the email, he may already lost the control over the blog as the new auto generated password is easy to be guessed due to weak pseudo random number generator to generate passwords and the attacker may have achieved it.

3.0 Affected Products

All versions of WordPress 2.6.1 and below are affected by this vulnerability if it allows open registration on the blog.

4.0 Recommendation

MyCERT recommends that users upgrade their WordPress installation to the latest version, (WordPress 2.6.2 as of this time of writing) by following the instructions on the website (http://codex.wordpress.org/Upgrading_WordPress).

5.0 References

http://secunia.com/advisories/31737/ [1]
http://www.us-cert.gov/current/
http://wordpress.org/development/2008/09/wordpress-262/
http://osvdb.org/show/osvdb/48022

Revision History:

Initial Release: 23rd September 2008