WordPress.org

Ready to get started?Download WordPress

Forums

Absolute Privacy
Absolute Privacy badly broken (12 posts)

  1. schaffnern
    Member
    Posted 2 years ago #

    On the upgrade from WP 3.2.1 to 3.3 i realized this behaviour (though it might have occured before):

    Users can login with existing username and ANY PASSWORD TEXT! Even the admin user!

    http://wordpress.org/extend/plugins/absolute-privacy/

  2. chriswhittle
    Member
    Posted 2 years ago #

    I think this is the fix for it... change $user variable to $tmpuser (except the error)

    function abpr_authenticateUser( $user, $username, $password ){
    	global $wpdb;
    		$tmpuser = get_userdatabylogin( $username );
    
    		$cap = $wpdb->prefix . "capabilities";
    
    		if ( $tmpuser != null && array_key_exists( ABSPRIVACY_ROLEREF, $tmpuser->$cap ) ) {  //if the user's role is listed as "unapproved"
    			$user = new WP_Error( 'unapproved', __("<strong>ERROR</strong>: The administrator of this site must approve your account before you can login. You will be notified via email when it has been approved.") );
    			add_filter( 'shake_error_codes', 'abpr_add_error_code' );	//make the login box shake
    			remove_action( 'authenticate', 'wp_authenticate_username_password', 20 );	//prevent authentication of user
    		}
    
    	return $user;
    }

    I've tested it and it seems to be good....

  3. AntonFyn
    Member
    Posted 2 years ago #

    Chris - This is great news! Many of us appreciate this solution. Is there any chance you could direct us to the actual directory and .php file which this change applies?

    Also, is the code (as written above) prior to change or after the change?

    Thank you very much for any information you can provide and I appologise for any inconvenience!

    Fyn

  4. AntonFyn
    Member
    Posted 2 years ago #

    Sorry for wasting your time Chris - I found out where this file is. It is the functions.php file within the Absolute Privacy plugin folder.

    Thanks for your solution!

    Fyn

  5. chriswhittle
    Member
    Posted 2 years ago #

    No problem Fyn! I should have put that in to begin with...

  6. AntonFyn
    Member
    Posted 2 years ago #

    Chris' solution resolves this issue completely. The code which he posted is dead on...

    Ahh... sweet security once again!

  7. schaffnern
    Member
    Posted 2 years ago #

    Thanks from me too! As far as I can see, this fixes the Problem. Any idea why that came up?
    Anyways, I would be happy to see an update from the plugin maintainers...

  8. inspiraven
    Member
    Posted 2 years ago #

    Thanks so much chriswhittle!

  9. kyuumeitai
    Member
    Posted 2 years ago #

    It worked for me too. Thanks!

  10. zmattmanz
    Member
    Posted 2 years ago #

    Thank God I found this -- I thought I was going crazy when I realized that I could log in with any password. Thanks so much!

  11. theoriginaldude
    Member
    Posted 2 years ago #

    Thanks for the fix :)

  12. Eric Mann
    Member
    Plugin Author

    Posted 2 years ago #

    The plugin has been patched as of version 2.0.6 to fix this vulnerability.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic