Comments on: WordPress Admin Password can be Reset by Anyone (Fix Provided) http://www.hostscope.com/templature/wordpress-admin-password-can-be-reset-by-anyone-fix-provided/ WordPress is the new LAMP. Wed, 26 May 2010 08:18:21 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: jrrl http://www.hostscope.com/templature/wordpress-admin-password-can-be-reset-by-anyone-fix-provided/comment-page-1/#comment-5503 jrrl Wed, 12 Aug 2009 01:29:22 +0000 http://www.hostscope.com/?p=363#comment-5503 The exploit should work with any user name that is allowed to reset their password. If reset requires admin approval, then nada will happen (although you won't be able to tell the real resets from the fake in your admin email). If your administrator account (or accounts) have a different user name, it will require the bad guy to figure out those user names. Yet another reason to use a user name other than "admin", although I am all too guilty of sticking with "admin" on some of my sites (but I patched them all :-P). The exploit should work with any user name that is allowed to reset their password. If reset requires admin approval, then nada will happen (although you won’t be able to tell the real resets from the fake in your admin email). If your administrator account (or accounts) have a different user name, it will require the bad guy to figure out those user names.

Yet another reason to use a user name other than “admin”, although I am all too guilty of sticking with “admin” on some of my sites (but I patched them all :-P ).

]]> By: Jason http://www.hostscope.com/templature/wordpress-admin-password-can-be-reset-by-anyone-fix-provided/comment-page-1/#comment-5502 Jason Wed, 12 Aug 2009 01:18:40 +0000 http://www.hostscope.com/?p=363#comment-5502 Does the exploit work if the admin user has been deleted and other users not named "admin" are Administrators? i.e. can they sniff that out? then the question is, would they bother? Does the exploit work if the admin user has been deleted and other users not named “admin” are Administrators? i.e. can they sniff that out? then the question is, would they bother?

]]> By: jrrl http://www.hostscope.com/templature/wordpress-admin-password-can-be-reset-by-anyone-fix-provided/comment-page-1/#comment-5499 jrrl Wed, 12 Aug 2009 00:01:40 +0000 http://www.hostscope.com/?p=363#comment-5499 It stops the reset if the reset key (the long string of gibberish in your email if you ask for a reset) is an array. The old method just checked to make sure the value wasn't empty. The exploit tricks the wp-login script by tweaking the arguments to wp-login.php (in the URL) to make the key into an array. It stops the reset if the reset key (the long string of gibberish in your email if you ask for a reset) is an array. The old method just checked to make sure the value wasn’t empty. The exploit tricks the wp-login script by tweaking the arguments to wp-login.php (in the URL) to make the key into an array.

]]> By: Gary Stephen Callaghan http://www.hostscope.com/templature/wordpress-admin-password-can-be-reset-by-anyone-fix-provided/comment-page-1/#comment-5498 Gary Stephen Callaghan Tue, 11 Aug 2009 23:55:30 +0000 http://www.hostscope.com/?p=363#comment-5498 <strong>Thanks for posting this, this really will save alot of annoyance. What exactly does this new line of code do ? </strong> Thanks for posting this, this really will save alot of annoyance. What exactly does this new line of code do ?

]]>