Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#15286 closed defect (bug) (worksforme)

can reset admin password by adminajax.php

Reported by: rYokiNG Owned by:
Milestone: Priority: normal
Severity: critical Version: 3.0.1
Component: Administration Keywords: reporter-feedback
Focuses: Cc:

Description (last modified by westi)

when you type "/wp-admin/admin-ajax.php?action=wp-compression-test&test=1&1287468825469";

and refresh 3 time admin password just reset,

i have video for this report but can't attach it big file.

> if ( ! isset( $_REQUEST['action'] ) )
> die('-1');
> require_once('./includes/admin.php'); //load admin.php already
> @header('Content-Type: text/html; charset=' . get_option('blog_charset'));
> send_nosniff_header();
> do_action('admin_init');
> if ( ! is_user_logged_in() ) { //check after
> if ( isset( $_POST['action'] ) && $_POST['action'] == 'autosave' ) {
> $id = isset($_POST['post_ID'])? (int) $_POST['post_ID'] : 0;
> if ( ! $id )
> die('-1');

Change History (13)

#1 follow-up: @mrmist
5 years ago

  • Keywords bug reset password removed

Doesn't do anything for me. The supplied URL just echos -1 if not logged in, or 0 if logged in (against trunk).

#2 @westi
5 years ago

  • Description modified (diff)

#3 @westi
5 years ago

If you can really reproduce this please report to security@… with the full details.

#4 in reply to: ↑ 1 @rYokiNG
5 years ago

please try 3 time

#5 follow-up: @mrmist
5 years ago

I've tried alot of times ;)

#6 in reply to: ↑ 5 @rYokiNG
5 years ago

plase try login old password admin on blog mrmist
thank for interesting

#7 @mrmist
5 years ago

  • Keywords needs-patch added

Well, for sure it seems the attack is real.

I don't appreciate POCs being tested on my live server though. :/

#8 @mrmist
5 years ago

I still haven't been able to reproduce against trunk, mind.

#9 @mrmist
5 years ago

Actually ignore that I just tested - password remains the same.

#10 @mrmist
5 years ago

  • Keywords reporter-feedback added; needs-patch removed

Have you tested this against a stock install without plugins?

#11 @rYokiNG
5 years ago

i test with out plugin ok i record video and upload to server http://test.vsi-group.dk/testvdo.rar please download and see i test with out plugin, i used default themes

#12 @westi
5 years ago

I still can't reproduce this.

As a logged out user the only code which runs for that page request is things hooked onto the wp_ajax_nopriv_wp-compression-test action.

What is the admin password being changed to?

Have you checked for code in the mu-plugins folder?

#13 @westi
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I've never been able to reproduce this.

Note: See TracTickets for help on using tickets.