It is possible to reset the admin password in all versions of wordpress up to and including the most recent version 2.8.3.
This information comes from a milw0rm exploit.
So, the jist is you can simply go to:
http://domain.example/wp-login.php?action=rp&key[]=
and it’ll reset the admin password. milw0rm didn’t supply a patch, but thankfully the internet is awesome and pzero from reddit pointed me to the fix:
Open wp-login.php and goto line 190 (assuming WP 2.8.3, or for earlier versions line 169) and replace this line:
if (empty( $key ) )
with
if (empty( $key ) || is_array( $key ) )
Have fun patching your systems peeps. If (and only if) you’re running 2.8.3 you can download a fixed wp-login.php. If you’re running a lower version, you’ll have to edit the file manually. Please backup your wp-login.php before changing it, my file might cause unforeseen problems otherwise.
UPDATE: wordpress have now released 2.8.4 which fixes this issue. Upgrade now.
Here are some screenshots showing exactly how it works:
Wordpress password reset - malicious URL
- just press enter and then…
Wordpress password reset - attack worked
but with the patch in place, wordpress is no longer vulnerable to this password reset attack:
Wordpress password reset - Patched!
To those of you wondering what the consequences are:
- Annoyance.
- Inconvenience.
- Admin lock-out, if a script was set up to repeatedly generate new passwords.
- Admin lock-out, if admin no longer has access to their “admin” email address.
- Resource consumption.
- Email flood.
So, while it’s not as serious as a revealed password would be, there are some serious potential consequences.
#1 by aaron condron on August 16, 2009 - 12:03 pm
hack master
#2 by lisa on August 17, 2009 - 2:10 am
hiya i need help in hacking someones msn can you help me!
#3 by jesse manaton on December 23, 2009 - 11:16 am
I would think that you wont able to hack msn but, the easy thing to hack some ones password what they like doing/girl/boy friend that is the easy way to hack passwords…but sometimes they dont work!
#so keep looking on youtube!
#4 by MANISH on September 16, 2009 - 7:16 am
SIR,
CAN U TELL ME HOW TO HACK SONICWALL NETWORK SECURITY SOFTWARE…..?
#5 by Jude Jonathan Kamano on October 9, 2009 - 3:35 pm
I want to learn how to hack computer systems
#6 by Jude Jonathan Kamano on October 9, 2009 - 3:36 pm
can you give me steps on how to breach into a ntwork and get files?
#7 by on December 14, 2009 - 8:42 am
So many spackers on the internet.
#8 by the hacker on January 3, 2011 - 5:37 pm
hi , im not the best at hacking and i would like to get better. i would most strongly want to learn about hacking game servers. any help?
#9 by Hacking tricks on January 12, 2011 - 7:27 pm
Hi friends all eager to learn hacking. It’s easy to learn the basic hacking like hacking accounts,usual websites. But in order to become a professional hacker , you have to put lot of works. I’m budding cyber security warrior.
#10 by on January 18, 2011 - 9:46 am
How do u hack??