This test is very convenient, because you can not always keep track of all security updates affecting all your system’s software. Just run this check about once a week and perform the recommended updates. Then you can feel more secure than before.

The test is based on Secunias Personal Software Inspector, a local application that knows much more different programs than the online test. Definitely worth a look, too.

So please, as long as there is no official release fixing this problem, apply this changeset to your wp-login.php.

Simply change line 190 in wp-login.php to

    if ( empty( $key ) || is_array( $key ) )

Then the “arraytrick” does not work anymore. The trick was, that after bypassing if (empty($key)), the database is queried for all users having a blank user_activation_key field. This is true for all users by default (except for those, who have recently ordered an activation key for password reset). Hence, the database simply returns the first user, whose user_activation_key is empty. His password then is reset. This user is likely the admin, because he is the first user in the table.

Update:

The changeset named above is not the only change the WordPress developers made. As we can see from changeset 11800 and changeset 11801, the password reset is only done when the key is actually a string and the user calling the “reset password URL” is logged in. Both modifications are already branched, so you can take this wp-login.php or wait for the next official release.

Update2:

The official update to WordPress 2.8.4 is released! Update now!

To exploit this bug, you even don’t need to have enabled the administration GUI for WAN access. Simple drive-by exploits are possible by placing URLs like

<img src="http://192.168.1.1/cgi-bin/;ANYCOMMAND" alt="">

in any website. Then, the attack comes from within your network. Some Javascript code could find out your router’s IP address. This should work very often and smells like a DD-WRT bot net. Someone stated in DD-WRT’s forum:

The sky is falling…
This is all much to do about nothing.
This is an international community.
65,270 registered members. Right now, there is 129 guests online (guests = not registered) + the registered members.
Who has been hacked?

In fact, this vulnerability is horrible. So, hurry up with changing your router’s setting! You’ve two possibilities:

• Update to DD-WRT V24-SP2pre (there, they’ve already fixed the problem)

• If you do not want to update, it seems that the only secure options is to turn off https management and to reject inbound traffic containing “cgi-bin” in an URL. Go to your router admin GUI, choose “Administration”, “Commands” and enter the follwing commands to 1) insert ipt_webstr kernel module and 2) set the corresponding iptables REJECT rule:

  insmod ipt_webstr
  iptables -I INPUT -p tcp -m tcp -m webstr --url cgi-bin -j REJECT --reject-with tcp-reset

  Press “Save Firewall”, then reboot your router.

Let’s see what the future brings….