Filter Suspicious Query Strings breaks password reset (with solution)
-
I found that enabling Filter Suspicious Query Strings stopped password reset from working. The e-mailed link goes to the usual password reset page, but after entering a new password I got a “page not found”, and the password had not changed (the old one still worked).
The action link on the password reset page looks like this:
<form name="resetpassform" id="resetpassform" action="https://blog.mysite.com/wp-login.php?action=resetpass....After a bit of investigation, I found that making the following change to the modified .htaccess file fixed this:
@@ -57,7 +57,7 @@ RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC] RewriteCond %{QUERY_STRING} !^loggedout=true -RewriteCond %{QUERY_STRING} !^action=rp +RewriteCond %{QUERY_STRING} !^action=(rp|resetpass) RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L]In wp-login.php, we find this:
case 'resetpass' : case 'rp' : $user = check_password_reset_key($_GET['key'], $_GET['login']); if ( is_wp_error($user) ) { ...which suggests that the rp and resetpass actions are equivalent.
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
- The topic ‘Filter Suspicious Query Strings breaks password reset (with solution)’ is closed to new replies.
