[wp-hackers] Wordpress Cookie Authentication Vulnerability
Ryan Boren
ryan at boren.nu
Tue Nov 20 07:41:48 GMT 2007
On 11/19/07, Computer Guru <computerguru at neosmart.net> wrote:
> You've got to be kidding me!
>
> I read the first five words then burst out laughing:
> "With read-only access to the Wordpress database"...
>
> Once you've got read-only access to a database, how much more vulnerable do
> you want?
Yeah, it's not a vulnerability in and of itself. But, in the event
your site is compromised (cough -- WP exploits -- cough), these
measures would prevent someone slurping your password hashes and doing
naughty things with them after you've patched whatever hole was
exploited. If we can add these extra measures cheaply, they can be
handy when cleaning up after an exploit.
Ryan
More information about the wp-hackers
mailing list