the thoughts and creations of a naughty machinima artist
Related Posts
About
Content: Machinima, Girls, Games, MXM-Projects, Sexy Gushes, 3D-Stuff, Design...Writer: MaXsiM, male, horny, straight, left-handed scorpio (toxic), non-smoker, music maker, virtual world perv...
Recent Tweet: http://www.bannedinhollywood.com/20-photo-sessions-that-should-have-never-happened/ 9 hrs ago
Wordpress: Nasty Vulnerability lets Hacker Delete Admin Password!
MaXsiM on 11. August 2009 | Humans go here! | Trolls and Spammers stay out.Update: WordPress reacted fast and published the security update 2.8.4 which eliminated the vulnerability. Please upgrade now. Read the official WordPress post here.
With only a browser it is possible to delete the Admin’s password and let him stand outside his own site, due to a vulnerability in WordPress’ up-to-date version 2.8.3.
When you’re unable to login to your own site, it can get kind of stressful. Hey, it just happened to me today, isn’t that a remarkable coincidence?
Luckily i already read about the problem, so if you can’t login to your WordPress 2.8.3 admin area, don’t worry too much:
- The hacker cannot get into the admin area by using this particular vulnerability
- The WordPress Devs already resolved the problem (i hope so)
Here’s what you can do to reset your admin password and avoid more damage…
How to act after hack attack!
Have you been logged out from the admin area? Have you received one or more emails with new generated passwords? Can’t you login with your original password anymore?
Go to the site village-idiot.org and download the “Emergency Password Reset Script”. Follow the instructions:
- Unzip the file
- Upload “emergency.php” to your WordPress root directory on the server
- Call the address in your browser (http://yourpage.com/emergency.php)
- Enter your original Username and a new password, click “Update Options”
- Delete “emergency.php” from your server immediately!
Now you can log in with that new password. It’s important that you’ve entered your original Username to that form on emergency.php. Don’t take a new Username.
How to avoid further attacks!
Okay, i’ve decided to blind trust the WordPress Devs. They say they found a solution. If that’s true it’s pretty simple to kill the vulnerability.
- Download the file “wp-login.php” from your WordPress
- Make a back up just in case you destroy something
- Open wp-login.php with an editor and go to line 190
- Overwrite the code:
if ( empty( $key ) )
with
if ( empty( $key ) || is_array( $key ) )
Save, upload and overwrite the old wp-login.php and you’re done.
For more detailed information about this please visit the following sites:
[Full-disclosure] WordPress <=2.8.3 Remote admin reset password by Laurent Gaffie
Resetting Your Password (codex.wordpress.org)
Leave a Reply
- Blogging browsers christmas download Dreams of Luisa Dreams of Luisa 6 Elfish Spell Farewell Firefox 3 Games google introduction Lara Croft layout Lena Luv lively Luisa 6 machinima monthly preview MXM Master Class Outdated Part 1 Part 6: SimPose photoshop poll preview relaunch release date Review screenshots sexy SimPose 2 survey theme The Sims 3 Tomb Raider Tomb Raider 9 topmodel Trailer twitter upgrade Video WordPress workshop YouTube
Tags
mxm-studios.com by MaXsiM is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.
Powered by WordPress 2.9.2, Theme "Look! There is an elf!" by mxm-studios.com
MXM on Koinup.com
