Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #29670


Ignore:
Timestamp:
09/14/2014 06:21:28 PM (10 years ago)
Author:
johnbillion
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #29670

    • Property Summary changed from Admin cannot use own password to login due to programming . to Admin cannot use own password to log in
  • Ticket #29670 – Description

    initial v1  
    55I was working on wordpress-3.9.2 and came across some problems. I would like you to consider this.
    66
    7 There is problem is 'user_pass' field. If I create a user on Install with password ---> ' "><iframe src=javascript:alert(1)/> '. Then I am unable to login using this password. This should not happen. Error or something should be implemented.
     7There is problem is 'user_pass' field. If I create a user on Install with password ---> ` "><iframe src=javascript:alert(1)/> `. Then I am unable to login using this password. This should not happen. Error or something should be implemented.
    88
    991. In wordpress-3.9.2/wordpress/wp-admin/install.php
    1010
    11 $admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : '';
     11`$admin_password = isset($_POST['admin_password']) ? trim( wp_unslash( $_POST['admin_password'] ) ) : '';`
    1212
    1313
    14 wp_unslash( $_POST['admin_password'] )    //here slashed are removed.
     14`wp_unslash( $_POST['admin_password'] )`    //here slashed are removed.
    1515
    1616So, it is stored some hash.
     
    39392. Now, set up database.
    40403. Then you are redirected to --> wordpress-3.9.2/wordpress/wp-admin/install.php
    41 4. Here enter your password as ---> '  "><iframe src=javascript:alert(1)/>  ' (enter the value which is present in single quotes)
     414. Here enter your password as ---> `  "><iframe src=javascript:alert(1)/>  `
    42425. Now, finish the set up.
    43 6. Now, on login try to enter your password as ' "><iframe src=javascript:alert(1)/> '.
     436. Now, on login try to enter your password as ` "><iframe src=javascript:alert(1)/> `.
    44447. You won't be able to login as there is difference.
    4545