can reset admin password by adminajax.php

[rYokiNG]

when you type "/wp-admin/admin-ajax.php?action=wp-compression-test&test=1&1287468825469";

and refresh 3 time admin password just reset,

i have video for this report but can't attach it big file.

require_once('../wp-load.php');
> 
> if ( ! isset( $_REQUEST['action'] ) )
> die('-1');
> 
> require_once('./includes/admin.php'); //load admin.php already
> @header('Content-Type: text/html; charset=' . get_option('blog_charset'));
> send_nosniff_header();
> 
> do_action('admin_init');
> 
> if ( ! is_user_logged_in() ) { //check after
> 
> if ( isset( $_POST['action'] ) && $_POST['action'] == 'autosave' ) {
> $id = isset($_POST['post_ID'])? (int) $_POST['post_ID'] : 0;
> 
> if ( ! $id )
> die('-1');

[mrmist]

Doesn't do anything for me. The supplied URL just echos -1 if not logged in, or 0 if logged in (against trunk).

[westi]

If you can really reproduce this please report to security@… with the full details.

[rYokiNG]

please try 3 time

[mrmist]

I've tried alot of times ;)

[rYokiNG]

plase try login old password admin on blog mrmist
​http://www.misthaven.org.uk/blog/
thank for interesting

[mrmist]

Well, for sure it seems the attack is real.

I don't appreciate POCs being tested on my live server though. :/

[mrmist]

I still haven't been able to reproduce against trunk, mind.

[mrmist]

Actually ignore that I just tested - password remains the same.

[mrmist]

Have you tested this against a stock install without plugins?

[rYokiNG]

i test with out plugin ok i record video and upload to server ​http://test.vsi-group.dk/testvdo.rar please download and see i test with out plugin, i used default themes

[westi]

I still can't reproduce this.

As a logged out user the only code which runs for that page request is things hooked onto the wp_ajax_nopriv_wp-compression-test action.

What is the admin password being changed to?

Have you checked for code in the mu-plugins folder?

[westi]

I've never been able to reproduce this.