[wp-trac] [WordPress Trac] #17018: Password Email contains wrong Password

WordPress Trac wp-trac at lists.automattic.com
Sat Apr 2 11:19:50 UTC 2011 

#17018: Password Email contains wrong Password
----------------------------+------------------------------
 Reporter:  hakre           |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  Awaiting Review
Component:  Administration  |     Version:  3.0.5
 Severity:  normal          |  Resolution:
 Keywords:                  |
----------------------------+------------------------------

Comment (by hakre):

 Cause of the error is that the Password is to be expected to pre-processed
 - the process to add is to add slashes.

 $_POST is being addslashes()'ed in wp_magic_quotes() / wp-load.php of
 every request - that's both the process of creating a new user (as of
 logging in).

 The slashed password is used as source to create the password hash when
 addin a new user.

 The email function wp_new_user_notification() will put the password as
 passed into the email that will be send out (slashes added).

 The password with slashes added will be taken out of the email by the new
 user.

 The user will then add the already slashed password into the login form.

 The $_POST data from the login will be slashed again because wordpress
 slashes all input (Related: #5791).

 The password will now be double-slash-added. The double-slashed password
 will be taken then to create the hash that is compared against the stored
 password hash.

 This fails as the stored password hash has been build not from the double-
 slashed but from the one-time-addslashed version.

 To obtain the requsted plaintext password in it's raw form that is going
 to be processed in the login form,
 [http://php.net/manual/en/function.stripslashes.php stripslashes()] needs
 to be applied first before sending it out per email.

 Don't expect that the password users recieve is actually the plain used to
 generate the hash with wordpress. It's simple if you know how ;)

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17018#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list