Laurent Gaffié posted an exploit for versions of Wordpress up to and including 2.8.3 (the current version as of now). The exploit is basically that if you pass an empty array as the “key” on a reset password query, the code passes the empty() check in wp-login.php and the password is reset thus completely bypassing the usual security protection of WordPress. It’s not too bad since the password is sent to the admin email and not displayed on the screen, but it can still be annoying.

While we wait for an official patch from Wordpress that I’m sure will be coming very soon, there’s a very easy way to fix it. Simply edit wp-login.php and add this line after line 186 (after the line that says global $wpdb):

if (is_array($key)) return new WP_Error('invalid_key', __('Invalid key'));

This simple fix should do the trick. If the key is an array, the function will simply alert the user that the key is invalid, which is what it should do.

Hello everyone and welcome to our little corner of the Web. We are Techniconseils, a Montreal-based company that specializes in Web 2.0 sites and Web Applications. Wow, that does sound corporate, doesn’t it ? Let’s try it again. I’m Jonathan Grenier, a Montreal-based web programmer that’s been creating Web Sites and Web Applications for over 13 years now and I’m one of the cofounders of Techniconseils. On this blog, we’ll discuss the latests trends and fads of the Web development world and hopefully give you a few tips and pointers to help you out along the way as we encounter problems and find the solutions when dealing with our customers’ sites.

Creating a Web application is becoming both easier (thanks for some fabulous libraries and frameworks) and much harder (so many technologies and buzzwords out there!). Add to this the multiplication of devices (iPhone and PSP come to mind) and it’s getting a little crazy out there. I’m hoping this blog will be a good place to exchange solutions and tips on all those technologies. Make sure to check out our scripts section for a good place to find already made scripts for your site.

So welcome aboard, thanks for stopping by and I hope to see you soon with our next post.