Word Press Login Security Issue

Filed Under (0day, blog support, fix, word press) by chris on Tuesday, August 11th, 2009

Tagged Under : ,

This just in from the Internet Storm Center

Juha-Matti pointed out multple reports on a vulnerability in the widely used wordpress blog software that supposedly allows lets remote users reset the administrative password. They all lead to an original post on a full disclosure mailing list.

You can get all the details from the original post – WordPress unauthenticated administrator password reset

You can find the fix here

Basically you just need to change line 190 in wp-login.php from
if ( empty( $key )
to
if ( empty( $key ) || is_array( $key ) )
If line 190 in wp-login.php doesn’t match the example, you should update Word Press.

I’ve already done it here and everything still works. I also tried it on a version of Word Press that isn’t the latest version. I had to search for the string that needed changing because it’s not on line 190 in the older version. I updated the info and everything is working there too.

(0) Comments     Read More

Post a comment

20 visitors online now
20 guests, 0 members
Max visitors today: 21 at 02:42 pm UTC
This month: 38 at 09-08-2010 07:53 pm UTC
This year: 165 at 01-11-2010 09:16 pm UTC
All time: 165 at 01-11-2010 09:16 pm UTC