WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Hack for wp-login malformed password reset url (9 posts)

  1. bgwriter09
    Member
    Posted 2 years ago #

    Encountered invalid key error on password reset. Discovered message emailed contained url delimited by angle brackets, and rightmost angle bracket was being included in login argument. Commented message variable and copied it omitting the offending bracket.

  2. Tara
    Member
    Posted 2 years ago #

    how did you resolve it?

  3. bgwriter09
    Member
    Posted 2 years ago #

    Hello t-p.

    Sorry, I thought I was clear in the OP. I commented the message variable originally in wp-login and copied it underneath the line. Below is an excerpt of the modified code.

    function retrieve_password() [...]
    
    // $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . ">\r\n"; ending angle bracket = invalid key
    
    $message .= '<' . network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login') . " \r\n";
  4. Tara
    Member
    Posted 2 years ago #

    -remember when you update WP next time, all your mods in the core files will be lost

    - second, messing with core files may cause security issue, unless you are expert in this stuff.

    - third, sorry, I can help with modifying the core file, for I am not expert in this stuff.

  5. Tara
    Member
    Posted 2 years ago #

    Oh, looks like you already resolved the issue, while I was posting my answer. :-)

  6. bgwriter09
    Member
    Posted 2 years ago #

    Yes, I realize the next update will overwrite wp-login.php, but then hopefully this issue will not persist in the next update.

    On the up side, if it does I know the first place I can look!
    ;)
    rgds,

    "The Intrepid Explorer"

  7. seacoastweb
    Member
    Posted 2 years ago #

    Ran into this issue, and removing the offending close bracket did the trick.

    Oddly, only found my way here after Googling some actual code from wp-login.php there is no mention of WordPress 3.4.1 broken password reset email link easily found. Hope this helps, and thanks for posting.

  8. jameshuckabonetech
    Member
    Posted 1 year ago #

    Hey Seacostweb! I found your thread (about 1 year old) about your homepage loading twice or at least recording the hit twice because it loaded the header twice or something. Did you ever figure that out? I'm having the same problem and have not found anything about it except for your lone, unanswered thread ...

    Thanks!

  9. jameshuckabonetech
    Member
    Posted 1 year ago #

    Forgot to click "Notify" ...

Topic Closed

This topic has been closed to new replies.

About this Topic