wordpress unauthenticated administrator password reset – 2.8.3

admin — Tue, 11 Aug 2009 18:03:52 +0000

There is a security flaw in WordPress 2.8.3 which allows the admin password to be reset via a browser GET request. This will temporarily lock out admins from their site. It is a flaw in the password reset function of wp-login.php. It can only reset the admin account and cannot be used to break into the system. In other words, an inconvenience, not a threat.

To temporarily fix this until it is patched by the WP developers change line 190 in wp-login.php from:

if ( empty( $key ) )

to:

if ( empty( $key ) || is_array( $key ) )

A good write-up of the situation can be found here at H-Online.com. If you find yourself already locked out of your system, there is a script available from codex.wordpress.org: Using the Emergency Password Reset Script

Let’s stay safe out there…

Share this on del.icio.us
Digg this!
Share this on Reddit
Stumble upon something good? Share it on StumbleUpon
Share this on Technorati
Share this on Facebook
Tweet This!
Share this on LinkedIn
Add this to Google Bookmarks
Post on Google Buzz
Share this on FriendFeed

carpeDMI.com » security

wordpress unauthenticated administrator password reset – 2.8.3