WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#15286 closed defect (bug) (worksforme)

can reset admin password by adminajax.php

Reported by: rYokiNG Owned by:
Milestone: Priority: normal
Severity: critical Version: 3.0.1
Component: Administration Keywords: reporter-feedback
Focuses: Cc:

Description (last modified by westi)

when you type "/wp-admin/admin-ajax.php?action=wp-compression-test&test=1&1287468825469";

and refresh 3 time admin password just reset,

i have video for this report but can't attach it big file.

require_once('../wp-load.php');
> 
> if ( ! isset( $_REQUEST['action'] ) )
> die('-1');
> 
> require_once('./includes/admin.php'); //load admin.php already
> @header('Content-Type: text/html; charset=' . get_option('blog_charset'));
> send_nosniff_header();
> 
> do_action('admin_init');
> 
> if ( ! is_user_logged_in() ) { //check after
> 
> if ( isset( $_POST['action'] ) && $_POST['action'] == 'autosave' ) {
> $id = isset($_POST['post_ID'])? (int) $_POST['post_ID'] : 0;
> 
> if ( ! $id )
> die('-1');

Change History (13)

comment:1 follow-up: @mrmist4 years ago

  • Keywords bug reset password removed

Doesn't do anything for me. The supplied URL just echos -1 if not logged in, or 0 if logged in (against trunk).

comment:2 @westi4 years ago

  • Description modified (diff)

comment:3 @westi4 years ago

If you can really reproduce this please report to security@… with the full details.

comment:4 in reply to: ↑ 1 @rYokiNG4 years ago

please try 3 time

comment:5 follow-up: @mrmist4 years ago

I've tried alot of times ;)

comment:6 in reply to: ↑ 5 @rYokiNG4 years ago

plase try login old password admin on blog mrmist
http://www.misthaven.org.uk/blog/
thank for interesting

comment:7 @mrmist4 years ago

  • Keywords needs-patch added

Well, for sure it seems the attack is real.

I don't appreciate POCs being tested on my live server though. :/

comment:8 @mrmist4 years ago

I still haven't been able to reproduce against trunk, mind.

comment:9 @mrmist4 years ago

Actually ignore that I just tested - password remains the same.

comment:10 @mrmist4 years ago

  • Keywords reporter-feedback added; needs-patch removed

Have you tested this against a stock install without plugins?

comment:11 @rYokiNG4 years ago

i test with out plugin ok i record video and upload to server http://test.vsi-group.dk/testvdo.rar please download and see i test with out plugin, i used default themes

comment:12 @westi4 years ago

I still can't reproduce this.

As a logged out user the only code which runs for that page request is things hooked onto the wp_ajax_nopriv_wp-compression-test action.

What is the admin password being changed to?

Have you checked for code in the mu-plugins folder?

comment:13 @westi4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

I've never been able to reproduce this.

Note: See TracTickets for help on using tickets.