dsadinoff

But why is adding slashes a good thing? isn’t it a little early for that? Meanwhile, this slashify_gpc business seems to make a mess of things, where there are rules, exceptions to rules, and even more rules, so the security interface is hard-to-read and understand. Is it possible to write a plugin which will cause the escaping to fail?

Anyway I agree with you, I am mistaken in saying that there is a security hole in wordpress. Rather, there is a bug where no password can work which contains characters escaped by the addslashes() function. It looks like the correct hash is getting written to the database, but the cookie seems to be wrong. Perhaps it’s this slashify_gpc thing. I’m not sure. I’ve tested this, and I can’t get a password with a slash or a single-quote to work properly.

At the very least, consider the wp_setcookie() at line 70. It’s passing the slashified password into the cookie routines. That doesn’t sound right.

Again, my apologies for the false alarm. When the login system failed upon setting the password to something containing a quote, I assumed the worst.

Meanwhile, shouldn’t wordpress start using the much-simpler PHP5 auto-escaping systems? http://www.zend.com/php5/articles/php5-mysqli.php#Heading11

MikeLittle, I’m no PHP-guru, just a humble perl guy since 1992. I can’t see where there is any escaping happening here.

http://trac.wordpress.org/file/tags/1.5.1.3/wp-admin/profile.php

Looks to me like the dataflow is:

$pass1 = $_POST["pass1"];
do_action('check_passwords', array($user_login, &$pass1, &$pass2));
$newuser_pass = $pass1;
$updatepassword = "user_pass=MD5('$newuser_pass'), ";

Can you explain where the escaping is? What does do_action(‘check_passwords’..) do? It looks like some sort of plug-in hook. Is there a standard plugin that does the esacaping?