Guys, about working this vulnerability in different PHP versions. As I tested just after I wrote previous comment, empty() works fine – the problem not in it. I tested work of empty() with arrays on my old PHP and it’s works fine, and also I checked this vulnerability on one of the latest PHP versions and empty() worked, but hole didn’t. So problem not in empty().

After I made additional research (in different WP versions), I found that attack not work at the second check – when picking out from DB to $user variable and checking it. The code in WP 2.8.3 and those older versions which I checked are similar, but hole doesn’t work. Also I checked on MySQL 4.x and 5.x, and the hole still didn’t work (i.e. there is no difference on various MySQL versions). So anyone can test it in different WP versions by himself to find vulnerable ones. So it’s strange why this hole doesn’t want to work in older versions of WP :).

Jesper.

You are right. For example, I by myself make a lot of security checking in WordPress which I’m using (in all version which I used from 2.0.3 and higher). And I found many holes in WP, some of them I disclosed, some I’d do later.

But I did’n saw this issue in wp-login.php, because I thought that “if ( empty($key) )” is enough protection, but as Laurent showed it’s not (and it can be byppased by using of array). On the other hand, as I wrote before, in my version of PHP this code works fine and doesn’t allow to bypass this check. It’s possible that in older versions of PHP empty() works fine in such cases.

Don’t worry I have never expected on WP guys and always tried to fix all holes by myself. I always exepect only on myself.

> Perhaps you could diff 2.6.2 and 2.8.3 wp-login files to see whats different.
I looked “on eye” sources of wp-login.php in 2.0.11, 2.6.2 and snippets from exploit and the idea of these files’ work is the same. In 2.6.2 and 2.8.3 these parts of code looks equal. The “if ( empty($key) )” line is the same in all these versions.

I have an assumption that it’s because of my PHP version and those PHP versions which you and Laurent Gaffié were tested. Maybe empty() in different PHP versions works differenly with arrays.

Regards,
Zelest

You shouldn’t really be using 2.0.x branch any more as its no longer maintained. Perhaps you could diff 2.6.2 and 2.8.3 wp-login files to see whats different.