Vulnerabilities > CVE-2009-2762 - Credentials Management vulnerability in Wordpress
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
wp-login.php in WordPress 2.8.3 and earlier allows remote attackers to force a password reset for the first user in the database, possibly the administrator, via a key[] array variable in a resetpass (aka rp) action, which bypasses a check that assumes that $key is not an array.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description Wordpress 2.6.1 SQL Column Truncation Vulnerability. CVE-2009-2762. Webapps exploit for php platform id EDB-ID:6397 last seen 2016-01-31 modified 2008-09-07 published 2008-09-07 reporter irk4z source https://www.exploit-db.com/download/6397/ title WordPress 2.6.1 - SQL Column Truncation Vulnerability description Wordpress <= 2.8.3 Remote Admin Reset Password Vulnerability. CVE-2009-2762. Webapps exploit for php platform file exploits/php/webapps/9410.txt id EDB-ID:9410 last seen 2016-02-01 modified 2009-08-11 platform php port published 2009-08-11 reporter laurent gaffié source https://www.exploit-db.com/download/9410/ title WordPress <= 2.8.3 - Remote Admin Reset Password Vulnerability type webapps description Wordpress 2.6.1 (SQL Column Truncation) Admin Takeover Exploit. CVE-2009-2762. Webapps exploit for php platform id EDB-ID:6421 last seen 2016-01-31 modified 2008-09-10 published 2008-09-10 reporter iso^kpsbr source https://www.exploit-db.com/download/6421/ title WordPress 2.6.1 - SQL Column Truncation Admin Takeover Exploit
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_2430E9C3874111DE938E003048590F9E.NASL description WordPress reports : A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. last seen 2020-06-01 modified 2020-06-02 plugin id 40583 published 2009-08-13 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/40583 title FreeBSD : wordpress -- remote admin password reset vulnerability (2430e9c3-8741-11de-938e-003048590f9e) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(40583); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:39"); script_cve_id("CVE-2009-2762"); script_xref(name:"EDB-ID", value:"9410"); script_name(english:"FreeBSD : wordpress -- remote admin password reset vulnerability (2430e9c3-8741-11de-938e-003048590f9e)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "WordPress reports : A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner." ); # http://wordpress.org/development/2009/08/2-8-4-security-release/ script_set_attribute( attribute:"see_also", value:"https://wordpress.org/news/2009/08/2-8-4-security-release/" ); # https://vuxml.freebsd.org/freebsd/2430e9c3-8741-11de-938e-003048590f9e.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d6ea8f24" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(255); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:de-wordpress"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:wordpress"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:wordpress-mu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"wordpress<2.8.4,1")) flag++; if (pkg_test(save_report:TRUE, pkg:"de-wordpress<2.8.4")) flag++; if (pkg_test(save_report:TRUE, pkg:"wordpress-mu<2.8.4a")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id WORDPRESS_PASSWORD_RESET_VER.NASL description According to its version number, the version of WordPress running on the remote server has a flaw in the password reset mechanism. Validation of the secret user activation key can be bypassed by providing an array instead of a string. This allows anyone to reset the password of the first user in the database, which is usually the administrator. A remote attacker can use this to repeatedly reset the password, leading to a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 40578 published 2009-08-12 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40578 title WordPress < 2.8.4 'wp-login.php' 'key' Parameter Remote Administrator Password Reset (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40578); script_version("1.19"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_cve_id("CVE-2009-2762"); script_bugtraq_id(36014); script_xref(name:"EDB-ID", value:"9410"); script_xref(name:"Secunia", value:"36237"); script_name(english:"WordPress < 2.8.4 'wp-login.php' 'key' Parameter Remote Administrator Password Reset (uncredentialed check)"); script_summary(english:"Checks version of WordPress."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by a security bypass vulnerability."); script_set_attribute(attribute:"description", value: "According to its version number, the version of WordPress running on the remote server has a flaw in the password reset mechanism. Validation of the secret user activation key can be bypassed by providing an array instead of a string. This allows anyone to reset the password of the first user in the database, which is usually the administrator. A remote attacker can use this to repeatedly reset the password, leading to a denial of service condition."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2009/Aug/113"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/11798"); script_set_attribute(attribute:"see_also", value:"https://wordpress.org/news/2009/08/2-8-4-security-release/"); script_set_attribute(attribute:"solution", value:"Upgrade to WordPress 2.8.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(255); script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("wordpress_detect.nasl"); script_require_keys("www/PHP", "installed_sw/WordPress", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "WordPress"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; version = install['version']; install_url = build_url(port:port, qs:dir); if (report_paranoia < 2) audit(AUDIT_PARANOID); ver_fields = split(version, sep:'.', keep:FALSE); major = int(ver_fields[0]); minor = int(ver_fields[1]); rev = int(ver_fields[2]); # Versions < 2.8.4 are affected if ( major < 2 || (major == 2 && minor < 8) || (major == 2 && minor == 8 && rev < 4) ) { if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : 2.8.4\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family CGI abuses NASL id WORDPRESS_PASSWORD_RESET.NASL description The version of WordPress hosted on the remote web server has a flaw in the password reset mechanism. Validation of the secret user activation key can be bypassed by providing an array instead of a string. This allows anyone to reset the password of the first user in the database, which is usually the administrator. A remote attacker can use this to repeatedly reset the password, leading to a denial of service condition. last seen 2020-06-01 modified 2020-06-02 plugin id 40577 published 2009-08-12 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40577 title WordPress < 2.8.4 Password Reset code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40577); script_version("1.18"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_cve_id("CVE-2009-2762"); script_bugtraq_id(36014); script_xref(name:"EDB-ID", value:"9410"); script_xref(name:"Secunia", value:"36237"); script_name(english:"WordPress < 2.8.4 Password Reset"); script_summary(english:"Attempts to do a password reset."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by a security bypass vulnerability."); script_set_attribute(attribute:"description", value: "The version of WordPress hosted on the remote web server has a flaw in the password reset mechanism. Validation of the secret user activation key can be bypassed by providing an array instead of a string. This allows anyone to reset the password of the first user in the database, which is usually the administrator. A remote attacker can use this to repeatedly reset the password, leading to a denial of service condition."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2009/Aug/113"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/11798"); script_set_attribute(attribute:"see_also", value:"https://wordpress.org/news/2009/08/2-8-4-security-release/"); script_set_attribute(attribute:"solution", value:"Upgrade to WordPress 2.8.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(255); script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress"); script_end_attributes(); script_category(ACT_DESTRUCTIVE_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("wordpress_detect.nasl"); script_require_keys("installed_sw/WordPress", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "WordPress"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port ); dir = install['path']; install_url = build_url(port:port, qs:dir); url = '/wp-login.php?action=rp&key[]='; res = http_send_recv3(method:"GET", item:dir+url, port:port, exit_on_fail:TRUE); # If the system is vulnerable, it will redirect to: # wp-login.php?checkemail=newpass # If it's patched, it will redirect to: # wp-login.php?action=lostpassword&error=invalidkey if ('Location: wp-login.php?checkemail=newpass' >< res[1]) { if (report_verbosity > 0) { report = '\n' + 'Nessus requested the following URL :\n\n' + ' ' + install_url + url + '\n\n' + 'which resulted in the password reset of a WordPress account on the\n' + 'remote host. The affected user will likely receive an email\n' + 'informing them of this.\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);
References
- http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0114.html
- http://core.trac.wordpress.org/changeset/11798
- http://secunia.com/advisories/36237
- http://wordpress.org/development/2009/08/2-8-4-security-release/
- http://www.exploit-db.com/exploits/9410
- http://www.securityfocus.com/bid/36014
- http://www.securitytracker.com/id?1022707
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52382