I’ve posted about this quite a few times without a solution (and one answer from one person not experiencing this problem); hoping that this time will be the charm.
I tried the 1.2.1 upgrade, both the full install and by uploading only the changed files. It worked fine except for the Email-the-Password feature; 1.2.1 emailed the password in Base64 code which, of course, doesn’t work for login purposes:
Content-Type: text/plain; charset=UTF-8
… and meanwhile, WP had changed the password. The only way I’ve been able to get this feature to work is to re-upload the v.1.2 wp-login.php; then, without changing anything else, the password gets emailed in readable format. This makes it pretty clear that there’s something in 1.2.1 wp-login.php which is causing WP to email Base64 code rather than a “translated” version of the password.
Simply using phpmyadmin is not a solution because some of our clients’ blogs are on shared hosting accounts that do not have phpmyadmin.
My question is: is the 1.2.1 wp-login.php integral to preventing the cross-site scripting issue? And, if so, will there be an update to 1.2.1 that fixes this issue?
If not (to the second question), I feel that I am left with two choices: use the vulnerable 1.2, or use some other blogging software. I really like WP and do not want to change, but I so far haven’t seen a solution or an answer that I can go with.
Could someone please respond?
- You must be logged in to reply to this topic.