Support » Fixing WordPress » Urgent 1.2.1 Password Emailed in Base64

  • I’ve posted about this quite a few times without a solution (and one answer from one person not experiencing this problem); hoping that this time will be the charm.
    I tried the 1.2.1 upgrade, both the full install and by uploading only the changed files. It worked fine except for the Email-the-Password feature; 1.2.1 emailed the password in Base64 code which, of course, doesn’t work for login purposes:
    Mime-Version: 1.0
    Content-Type: text/plain; charset=UTF-8
    Content-Transfer-Encoding: BASE64
    TG9naW46IERpYW5lDQpQYXNzd29yZDogZTIxMTQ2DQpodHRwOi8vZGlhbmV2LmNvbS9ibG9nL3dv
    cmRwcmVzcy93cC1sb2dpbi5waHA=

    … and meanwhile, WP had changed the password. The only way I’ve been able to get this feature to work is to re-upload the v.1.2 wp-login.php; then, without changing anything else, the password gets emailed in readable format. This makes it pretty clear that there’s something in 1.2.1 wp-login.php which is causing WP to email Base64 code rather than a “translated” version of the password.
    Simply using phpmyadmin is not a solution because some of our clients’ blogs are on shared hosting accounts that do not have phpmyadmin.
    My question is: is the 1.2.1 wp-login.php integral to preventing the cross-site scripting issue? And, if so, will there be an update to 1.2.1 that fixes this issue?
    If not (to the second question), I feel that I am left with two choices: use the vulnerable 1.2, or use some other blogging software. I really like WP and do not want to change, but I so far haven’t seen a solution or an answer that I can go with.
    Could someone please respond?

Viewing 15 replies - 1 through 15 (of 21 total)
  • I’m having exactly the same problem. Have lost login availability after moving the blog structure up one directory to root (following instructions found in thse pages). The “Retrieve password” function even sends me 2 emails with different password strings. Uploading the 1.2 wp-login file does nothing for me. The emails states UTF-8 encoding although my blog is set to ISO-8859-1. No idea if this can cause trouble. Have tried changing the password and then creating a new user directly in PHPMyAdmin but to no avail.

    This is weird !
    I found a base64 encoder/decoder here > http://makcoder.sourceforge.net/demo/base64.php
    The content of the first email is username/a password which isn’t mine/my url.
    The second email, once decodes, says this “Password Lost and Changed for user: admin”.
    When I type “admin” and the correct password into the wp-login.php form, it just gets wiped out and nothing happens except I get this in the address bar :
    http://www.cfdt-accor.org/wp-login.php?redirect_to=%2Fwp-admin%2F

    Well I’m too ignorant in such things to know what that was all about but apparently the system was changing the MD5 hash in the password field of the wp-users table. Only way out I could think of was a dumpout of all tables except wp-users, a reinstall and a dump in. Working fine now.

    Frenchie91, could you explain that again?
    You dumped all of the tables (except wp-users), reinstalled 1.2.1 and it’s fine? Had your blog had any posts already? And the tables would be the .frm, .MYD and .MYI files?

    Yep, I used PHPMyAdmin to export all the tables from the database except WP_users in an SQL backup file. I destroyed the database. Reinstalled 1.2.1. with install.php. Deleted all the empty tables except the new WP_users with the new password and then dumped back in my backup file to recreate my tables containing all the data. All my posts, links and categories have come back and it’s working fine with a brand new password.
    Don’t know if we stumbled on a bug, but the whole thing was running wild and the MD5 hash was changing itself.
    By the way, I decoded your base64 stuff and it said the same as mine : Diane, a password and your URL.
    Hope you’ve managed to sort it without such radical mesures.

    Thanks, Frenchie91! No, I haven’t sorted it out, except to replace what may be the most important 1.2.1 file with the 1.2 one for now. I’ll be looking into doing what you’ve done, though it will be difficult if not impossible for my clients on shared hosting.
    I was a little concerned that the WP folks did not give any input or acknowledgment of this issue, given that I’ve mentioned this issue in about six different threads here. Are they not around?

    Moderator Ryan Boren

    (@ryan)

    WordPress Dev

    Check out this thread.

    Thanks, rboren (and thanks Frenchie91 for letting me know).
    I’ll be trying this out later tonight, and hopefully will get through it. Much appreciation!

    Trouble is the extra code generates a parse error: unexpected T_ECHO on line 72. Line 72 being “else” situated just after the extra code.

    Hm. Anything more on this?

    Wow, no updates on this? After line 65:
    function wp_mail($to, $subject, $message, $headers = '', $more = '') {
    I just wanted to state that inserting only this line of code:
    mb_language('English');
    …allowed me to reset my password and a readable temporary one sent to me. Thanks rboren, carthik, and podz! 🙂

    Having the same problem. What file is it that is referenced about that needs to be changed? Can anyone out there break it down for a newbie on exactly how to fix this?? Appreciate it in advance.

    Insert the above code into /wp-login.php.

    Ok this worked. What I did, following the advice from btvillarin was edit the wp-login.php file and insert the mb_language(‘English’); line as the first line in the function function wp-mail.
    One thing I will note is that the line numbers referenced didn’t match the line numbers in my wp-login.php file.
    After applying the fix the password is send in english, not base 64.

    Ok, here’s one approach that worked for me:
    1. Login onto DB using phpMySQLadmin
    2. Selct Db
    3 . Browse wp_user table
    4. Edit user record; for the password field select “MD5 ” from “function” drop down box. And type in new password
    5. Save record and exit.
    HTH,
    David

Viewing 15 replies - 1 through 15 (of 21 total)
  • You must be logged in to reply to this topic.