[wp-trac] [WordPress Trac] #29670: Admin cannot use own password to log in (was: Admin cannot use own password to login due to programming .)

[WordPress Trac]

#29670: Admin cannot use own password to log in
------------------------------+------------------------------
 Reporter:  pranav_hivarekar  |       Owner:
     Type:  defect (bug)      |      Status:  new
 Priority:  normal            |   Milestone:  Awaiting Review
Component:  Upgrade/Install   |     Version:
 Severity:  normal            |  Resolution:
 Keywords:                    |     Focuses:
------------------------------+------------------------------
Description changed by johnbillion:

Old description:

> This is relating from #27464.
>
> Hello,
>
> I was working on wordpress-3.9.2 and came across some problems. I would
> like you to consider this.
>
> There is problem is 'user_pass' field. If I create a user on Install with
> password ---> ' "><iframe src=javascript:alert(1)/> '. Then I am unable
> to login using this password. This should not happen. Error or something
> should be implemented.
>
> 1. In wordpress-3.9.2/wordpress/wp-admin/install.php
>
> $admin_password = isset($_POST['admin_password']) ? trim( wp_unslash(
> $_POST['admin_password'] ) ) : '';
>

> wp_unslash( $_POST['admin_password'] )    //here slashed are removed.
>
> So, it is stored some hash.
>

> 2. In wp-login.php
>
> You have a login form. Where password is passed. Here I guess password is
> passed in plain text or some other filter is used.
>
> So, user cannot login.
>

>
> I wrote this to inform of differences.
>
> Due to this, user is unable to login from login panel. As password is
> filtered at install.php and hash is stored but while login password is
> not filtered as same as install.php.
>
> This should be fixed.
> I hope you add same filter on both passwords. :)
>

>
> Proof Of Concept :
> ==============
> 1. Install a new copy of wordpress-3.9.2
> 2. Now, set up database.
> 3. Then you are redirected to --> wordpress-3.9.2/wordpress/wp-
> admin/install.php
> 4. Here enter your password as ---> '  "><iframe
> src=javascript:alert(1)/>  ' (enter the value which is present in single
> quotes)
> 5. Now, finish the set up.
> 6. Now, on login try to enter your password as ' "><iframe
> src=javascript:alert(1)/> '.
> 7. You won't be able to login as there is difference.
>
> I hope you patch this. :)
> Questions are welcome.
>

> Regards,
> Pranav

New description:

 This is relating from #27464.

 Hello,

 I was working on wordpress-3.9.2 and came across some problems. I would
 like you to consider this.

 There is problem is 'user_pass' field. If I create a user on Install with
 password ---> ` "><iframe src=javascript:alert(1)/> `. Then I am unable to
 login using this password. This should not happen. Error or something
 should be implemented.

 1. In wordpress-3.9.2/wordpress/wp-admin/install.php

 `$admin_password = isset($_POST['admin_password']) ? trim( wp_unslash(
 $_POST['admin_password'] ) ) : '';`


 `wp_unslash( $_POST['admin_password'] )`    //here slashed are removed.

 So, it is stored some hash.


 2. In wp-login.php

 You have a login form. Where password is passed. Here I guess password is
 passed in plain text or some other filter is used.

 So, user cannot login.



 I wrote this to inform of differences.

 Due to this, user is unable to login from login panel. As password is
 filtered at install.php and hash is stored but while login password is not
 filtered as same as install.php.

 This should be fixed.
 I hope you add same filter on both passwords. :)



 Proof Of Concept :
 ==============
 1. Install a new copy of wordpress-3.9.2
 2. Now, set up database.
 3. Then you are redirected to --> wordpress-3.9.2/wordpress/wp-
 admin/install.php
 4. Here enter your password as ---> `  "><iframe src=javascript:alert(1)/>
 `
 5. Now, finish the set up.
 6. Now, on login try to enter your password as ` "><iframe
 src=javascript:alert(1)/> `.
 7. You won't be able to login as there is difference.

 I hope you patch this. :)
 Questions are welcome.


 Regards,
 Pranav

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29670#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform