Patching Bug: Reset Admin Password pada WordPress <= 2.8.3

Posted on 3 February 2010 by

PERINGATAN!

Artikel ini hanya untuk pengetahuan semata-mata, segala tindakan yang diakibatkan oleh artikel ini bukan merupakan tanggung jawab penulis. Terima kasih.

WP LogoBagi anda yang menggunakan wordpress sebagai engine blog, info berikut ini mungkin sangat berguna untuk anda. WordPress sebelum versi 2.8.4 memiliki bug Reset Admin Password. Pada versi-versi tersebut seserang tanpa akses privilege apapun dapat dengan mudah mereset password account anda anda hanya dengan mensupply sebuah array pada parameterkey yang ada di query string URL.

Contoh normal link:

http://www.example.com/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag

Link untuk reset:

http://www.example.com/wp-login.php?action=rp&key[]=

Berikut ini adalah potongan code yang menyebabkan bug tersebut.

wp-login.php:
...[snip]....
line /- 186:
function reset_password($key) {
 global $wpdb;

 $key = preg_replace("/[^a-z0-9]/i", "", $key);

 if ( empty( $key ) )
 return new WP_Error("invalid_key", __("Invalid key"));

 $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
 if ( empty( online casino  $user ) )
 return new WP_Error("invalid_key", __("Invalid key"));
...[snip]....
line /- 276:
$action = isset($_REQUEST["action"]) ? $_REQUEST["action"] : "login";
$errors = new WP_Error();

if ( isset($_GET["key"]) )
 $action = "resetpass";

// validate action so as to default to the login screen
if ( !in_array($action, array("logout", "lostpassword", "retrievepassword", "resetpass", "rp", "register", "login")) && false === has_filter("login_form_" . $action) )
 $action = "login";
...[snip]....

line /- 370:

break;

case casino spiele "resetpass" :
case "rp" :
 $errors = reset_password($_GET["key"]);

 if ( ! is_wp_error($errors) ) {
 wp_redirect("wp-login.php?checkemail=newpass");
 exit();
 }

 wp_redirect("wp-login.php?action=lostpassword&error=invalidkey");
 exit();

break;
...[snip ]...

» Patching the Bug

Untuk memperbaiki bug tersebut ada dua cara yaitu:

  • Upgrade ke WordPress 2.8.4, atau
  • Melakukan patch manual

Nah bagi yang malas upgrade wordpress sebaiknya segera melakukan patch secara manual. Berikut ini adalah perubahan pada file wp-login.php sebelum dan sesudah dipatch.

Sebelum patch (cari pada baris sekitar 350-an):

case "resetpass" :
case "rp" :
	$errors = reset_password($_GET["key"]);

	if ( ! is_wp_error($errors) ) {
		wp_redirect("wp-login.php?checkemail=newpass");
		exit();
	}

	wp_redirect("wp-login.php?action=lostpassword&error=invalidkey");
	exit();

break;

Sesudah dipatch:

case "resetpass" :
case "rp" :
	if (is_array($_GET["key"])) {
		die("Hacking detected.");
		exit();
	}
	$errors = reset_password($_GET["key"]);

	if ( ! is_wp_error($errors) ) {
		wp_redirect("wp-login.php?checkemail=newpass");
		exit();
	}

	wp_redirect("wp-login.php?action=lostpassword&error=invalidkey");
	exit();

break;

Setelah itu re-upload file wp-login.php ke server anda kembali.

Bagi yang memiliki akses shell ke server anda dapat melakukan patch dengan menggunakan perintah berikut(asumsi file wp-login.php.patch satu direktori).

$ patch wp-login.php -i wp-login.php.patch

Download wp-login.php.patch

Referensi:
http://milw0rm.com/exploits/9410

Posted by rio

284 Comments

czech republic hockey jersey

5 November 2016

Pups get a superb hobby to engage in, as well. Walking and taking advantage of a pet dog the thing, however breeding as well as raising reveal dogs is normally another thing entirely. Exhibit dogs may need some a rental, several pups are free. We also have the exact associated with training this will be significant around compliance. Dogs put in a large amount of enjoy back in their owners, overly, for those times you find a overdue activity of caring for 14, you won’t come to be lonely. Still k-9s require a lot of get the job done and awareness, especially when they’re becoming trained, hence keeping canines is just not for all.


pokerclub88

25 August 2016

Awesome! Its really awesome piece of writing, I have got much clear idea regarding from this paragraph.


Queenie

2 May 2016

While you are partly right, don’t forget that Bittorrent is used for a lot of other things than trading copyrighted material.- WOW uses the bittorrent protocol to push their updates.- Lots of Linux Distribution are distributed through it.-Lotus Notes / Domino gets crippled because Comcast filters port 1352 traffic..And this is only the tip of the iceberg.. Don’t forget that bittorrent was initially made to improve quality of sercevi… sure, some people abuse it, but in a lot of case, the protocol has tremendously improved the ways corporation distribute content.


Jeannie

2 May 2016

Impotent gents under no cicesmutanrcs had it so good. Viagra pioneered the oral therapy for Impotence. And also the baton, it seems, continues to be transferred to Cialis. In between, Levitra also manufactured its existence felt. But Cialis would be the upcoming drug which has the whole world on its ft.


Post a Comment

Your email is never shared.