Fix: Wordpress Admin Password Reset Exploit

by Salman Ul Haq | August 11, 2009

Yes, there is still no patch in sight of the latest Wordpress Admin Password Reset exploit where anyone can reset admin password of any blog hosted on Wordpress without any confirmation.

Whats the bug?

The password reset URL takes parameter with the name of key. If you pass this key as arbitrary text or empty then nothing happens and an error is displayed.

Someone really genius worked out a way to fool it and passed key[] which is an empty array! And the reset php page thinks it as valid and resets the password and sends out the email to the admin’s email address listed.

Whats the fix?

Open wp-login.php and goto line 190 (for WP 2.8.3) and line 169 (for earlier versions) and replace this line:

with…

What does this mean?

This means that in addition to no value or null being passed, if some smart guy passes an array then that should also be treated as invalid.

Update:

Wordpress update 2.8.4 has been released.

Join ProgrammerFish Facebook Fan Page to get instant updates.

Jay Castillo

Thanks for the tip, I was able to implement with no problems. Still hesitant to upgrade wordpress so this is the best solution for me!

Jesper Wallin

Hehe, quite interesting to see so many exploits in such important parts of a software so well spread as WordPress.. Might worth doing some code auditing. :-)

Andy

Thanks for this quick fix!

Amazed this hasn't been spotted earlier by someone either - you just assume such fundamental issues like this are just not present with the 1000s of people checking each WordPress build so closely :(

Christoph

Thx for sharing this.

I immediately secured all of my blogs. Unbelievable that this security issue has not been detected and closed earlier.

neilt

i have several wordpress blogs running on OS X Server 10.5... for some reason, these are not effected by this little hack...they are using php version 5.2.8
could this have something to do with it? on my server with linux and php 5.2.5 the above hack works, but not on unpatched mac servers

Joe Amenta

Users who upgrade to 2.8.4, available right now through automatic upgrade, will be safe from this exploit and will not have to manually change this code.

mliving

Forget it... closer inspection with clear eyes fixed the problem! :)

mliving

One more quick question.

I'm getting multiple in the code of my home.php page and I can not for the life of me figure out why.

Any suggestions?

mliving

All fixed! Thanks for the fast reply and correction.

Best Regards

Nile

It is because the graphic looks like it has some spaces.

Handles resetting the user's password.

if ( empty($key) )

Replace above code with

if ( empty($key)|| is_array($key) )

Should not produce an error. I tried it on my own site early this morning when I put the code only 10 minutes after the issue came up.

mliving

Tried your fixed and received an error when I tried to login.

Replaced:
if ( empty( $key ) )}

With:
if ( empty( $key ) )|| is_array( $key ) )]

Ryan Kearney

Thanks for this fix.