How to avoid recovery of 'user-activation-key'

  1. Matt123987


    Some plugins allowe(d) SQL-Injections. In such cases it is/was possible to read the user-activation-key without getting the corresponding email with the password-recovery-link containing this key. (See an example on youtube)

    I think it would be a good idea to help against such vectors by the following two additions:

    As of WP 3.5.2 make changes in the file wp-login.php:

    Line 229, from:
    $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
    Line 229, to:
    $wpdb->update($wpdb->users, array('user_activation_key' => md5($key)), array('user_login' => $user_login));

    Line 458, from:
    $user = check_password_reset_key($_GET['key'], $_GET['login']);
    Line 458, to:
    $user = check_password_reset_key(md5($_GET['key']), $_GET['login']);

    Now any attacker can see the md5-code of the user-activation-key but doesn't know the corresponding key.

    Any suggestions?

    Posted: 4 years ago #

RSS feed for this topic


You must log in to post.

  • Rating

    3 Votes
  • Status

    This idea is under consideration