Laurent Gaffié posted an exploit for versions of Wordpress up to and including 2.8.3 (the current version as of now). The exploit is basically that if you pass an empty array as the “key” on a reset password query, the code passes the empty() check in wp-login.php and the password is reset thus completely bypassing the usual security protection of WordPress. It’s not too bad since the password is sent to the admin email and not displayed on the screen, but it can still be annoying.

While we wait for an official patch from Wordpress that I’m sure will be coming very soon, there’s a very easy way to fix it. Simply edit wp-login.php and add this line after line 186 (after the line that says global $wpdb):

if (is_array($key)) return new WP_Error('invalid_key', __('Invalid key'));

This simple fix should do the trick. If the key is an array, the function will simply alert the user that the key is invalid, which is what it should do.

For a while now we’ve been looking at the iPhone platform as one of our next big focus point (our first app is coming soon, we’re waiting for Apple) but today we have some great news.

Starting today, Techniconseils is sponsoring the iPhone Dev Camp Montreal, presented by the Club Mac de Montreal. On the first wednesday of every month, we’ll be at McGill University presentating the latest news and giving how-tos not to mention drinks and food to the developers community around town.

The Dev Camp has its own web site at http://iphone.lcmm.qc.ca. If you tweet about it, make sure to use the tag #idcmtl.