Wordpress 2.1.3 admin-ajax.php vulnerability
Tuesday, June 26th, 2007 in WordpressSurfing the web today I’ve spotted a vulnerability about Wordpress that gives the attacker the possibility to find out your admin login username and the md5 hash of your password.
It uses the wp-admin/admin-ajax.php file to achieve that. How it works it’s not the point, but how you can protect from it is.
One solution to avoid this problem is to upgrade to the latest version but if you don’t want to do that, there are a few things you can do to avoid an attack.
The attack is based on the presumption that you used the default settings when you installed Wordpress 2.1.3 on your server. This means that your database tables are probably having the wp_ prefix (ie. wp_users for the users table). So you could change the tables prefix from wp_ to let’s say my_exploit_free_prefiv_, but you will need to be careful or your Worpress 2.1.3 blog will stop working.
Another assumption of this exploit is that the id of the admin user in your database is set to 1. You could change that and maybe the problem will disappear.
Since the admin-ajax.php file is accessed by the Wordpress script and not by other users (when I say users, I mean operating system users, not the people visiting your website or anything else), the best solution if you ask me will be to deny the access for any other user than your server. And this is the most simple way to avoid an attack on the wp-admin/admin-ajax.php file of your Worpress 2.1.3 blog.
To do this, you need to have on the root directory where Wordpress 2.1.3 is installed a file called .htaccess file. All you have to do is add the following three lines into the file.
<files admin-ajax.php>
deny from all
</files>To test if this works, try to access the wp-admin/admin-ajax.php file from your web browser (ie. http://www.your_web_domain.com/wp-admin/admin-ajax.php). If you get an Access Denied page, it’s all ok. Since access it’s blocked only for external users, any Wordpress 2.1.3 files that sends requests to this file will get an answer from it and everything will work just fine.
Later edit
Well, if you deny access to admin-ajax.php from your .htaccess file, you’ll find yourself unable to add any categories since you won’t have access to it (and that was very obvious from the file name – admin-AJAX.php). And this is maybe just one of the side effects.
In the end you’ll need to update to the latest stable version (Wordpress 2.2.1) and get rid of all problems (at least for the moment).
Was this useful? Show your support.
4 comments
Salut Constantin,
Vulnerabilitatea asta functioneaza exclusiv pe versiunea 2.1.3?
Versiunile anterioare nu sunt vulnerabile?
Salutari din Cluj :)
Hello and welcome Blad3!
I was kind of lonely around here :).
This vulnerability works on all versions of Wordpress below 2.1.3. But as I said, if you can find a way to block all external access the wp-admin/admin-ajax.php file, it will be safe enough.
In this case, this vulnerability sounds very interesting.
However, i did some diff on that file admin-ajax.php, before and after 2.1.3 and is no vulnerability is patched after 2.1.3.
Maybe it was patched in a different file? Didn’t had time to look at all the changes.
I think the vulnerability relies in the wp-includes/pluggable.php. You can find there some login functions used to authenticate the user from the cookie variables. I didn’t had the time to look more into it, but my best guess is that the problem is in there.
Leave a comment