[wp-hackers] Wordpress Cookie Authentication Vulnerability

Otto otto at ottodestruct.com
Thu Nov 22 03:25:08 GMT 2007


It seems like we have two different discussions going on here.

1. Password: If we were to use salt, we could prevent dictionary
attacks. Great. Fine. Whatever. We get it, but that's not the
vulnerability we're talking about here. Salt wouldn't fix this
problem.

2. Cookies: Why are we using double-MD5 as the cookie? Why are we not
using PHP Sessions instead? This would prevent this problem. Anybody
know?

-Otto


More information about the wp-hackers mailing list