Make WordPress Core

Opened 13 years ago

Closed 13 years ago

#1080 closed defect (bug) (fixed)

admin password changed by other than admin

Reported by: georgianlady Owned by: ryan
Milestone: Priority: highest omg bbq
Severity: major Version: 1.5
Component: Security Keywords:
Focuses: Cc:


Someone accessed wp-login.php on my site and used the lost password link, and generated new passwords sent to my email address, but they are NOT like the emails generated by WP. I cannot replicate this problem. IP was logged in referrer on my site.

I couldn't use my real password to login, so I reinstated it using phpmyadmin. No other data *seems* to have been changed. After I was logged in, I tried to reproduce the problem and could not.

Attachments (1)

fix_1080.patch (798 bytes) - added by georgianlady 13 years ago.

Download all attachments as: .zip

Change History (11)

#1 @georgianlady
13 years ago

  • Patch set to No

#2 @MC_incubus
13 years ago

  • Priority changed from normal to highest

#3 @anonymousbugger
13 years ago

edited on: 03-13-05 13:04

#4 @georgianlady
13 years ago

I'm restating some of this so that the situation from my side is clearer, I hope.

Compare these two emails. The first is one I generated myself, and is standard as to how WP sends a lost password. [domain removed from URL's, weblog name generic]


Subject: [MY WEBLOG NAME] Password Reset

Someone has asked to reset a password for the login this site


Login: admin

To reset your password visit the following address, otherwise just ignore this email and nothing will happen.


Above is exactly the only thing I can replicate by trying to get a new password.

Here is one of the emails I got that was part of 5 fraudulent new password emails.

Subject: [MY WEBLOG NAME] Your new password

Login: admin Password: 60fb2a7 http://MY.DOMAIN.com/weblog/wp-login.php

So if the above is really generated from WP, why is it that I can't get WP to generate such an email to me? And if it is true that WP is able to generate such a message, it's something scary, 'cause it doesn't allow for the owner of the site to control the site, my password was changed by some stranger somehow.

Out of those 5 emails stating "Your new password" there were an additional two emails saying that the password for admin was changed.

Here's the order of the emails:

6:20am Your new Password 6:20am Password Lost/Changed 6:24am Your new Password 6:25am Your new Password 6:25am Your new Password 6:25am Your new Password 6:25am Password Lost/Changed

The Password Lost/Changed fraudulent emails look exactly as this (with weblog name changed):

Subject: [MY WEBLOG NAME] Password Lost/Change

Password Lost and Changed for user: admin

I say both those types are fraudulent since I didn't request them, and since I am the owner of the site, that's a bit scary that this can happen.

#5 @idanso
13 years ago

Seems to me like an issue at wp-login.php Line 124.

It does a password reset using an md5'ed key from the GET input, but does not check if the input is empty.

If the key at the database is empty, and the key is also empty, one is able to reset another user's password without much trouble...

#6 @ryan
13 years ago

  • Owner changed from anonymous to rboren
  • Status changed from new to assigned

#7 @ryan
13 years ago


Good catch idanso. Without an empty key check, we would query the database, get the first user with an empty key, and reset the password for that user. I don't think anyone can gain access to your blog using this method. They can just annoy you by resetting your password.

#8 @idanso
13 years ago

"I don't think anyone can gain access to your blog using this method. They can just annoy you by resetting your password."

Actually, in theory it might be possible to guess the newly generated password. since you know _when_ the password generated, and since the password generator has it's entropy seeded from microtime, it's probably going to take far less brute-force to crack it then without the reset.

#9 @MC_incubus
13 years ago

I'd deleted my note on this once I came to the same conclusion as idanso last night. I e-mailed Matt about it, but looks like your fix is very similar to the one I proposed (I just die()ed if the $key wasn't 32 characters long, as an MD5 should be).

And now that this is public knowledge, we should probably advise people to request password resets for all their WP 1.5 logins. This will fill in a value for the key in the database and prevent blank keys from matching anything.

I told some people in #wordpress to do that, and have verified that their blogs are now secure against this bug.

#10 @ryan
13 years ago

  • fixed_in_version set to 1.5.1
  • Resolution changed from 10 to 20
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.