WordPress.org

Ideas

How to avoid recovery of 'user-activation-key'

  1. Matt123987
    Member

    12345

    Some plugins allowe(d) SQL-Injections. In such cases it is/was possible to read the user-activation-key without getting the corresponding email with the password-recovery-link containing this key. (See an example on youtube)

    I think it would be a good idea to help against such vectors by the following two additions:

    As of WP 3.5.2 make changes in the file wp-login.php:

    Line 229, from:
    $wpdb->update($wpdb->users, array('user_activation_key' => $key), array('user_login' => $user_login));
    Line 229, to:
    $wpdb->update($wpdb->users, array('user_activation_key' => md5($key)), array('user_login' => $user_login));

    Line 458, from:
    $user = check_password_reset_key($_GET['key'], $_GET['login']);
    Line 458, to:
    $user = check_password_reset_key(md5($_GET['key']), $_GET['login']);

    Now any attacker can see the md5-code of the user-activation-key but doesn't know the corresponding key.

    Any suggestions?

    Posted: 1 year ago #

RSS feed for this topic

Reply

You must log in to post.

  • Rating

    12345
    3 Votes
  • Status

    This idea is under consideration