[wp-hackers] Hashing user_activation_key in the database

Harry Metcalfe harry at dxw.com
Thu Jun 13 11:06:00 UTC 2013


PS: I tried to write a plugin to fix this in the interim but suitable 
filters do not exist. That might also be a good thing to consider 
adding, or making pluggable.


On 13/06/13 12:05, Harry Metcalfe wrote:
> Hello all,
>
> During a recent penetration test, the tester found an SQL injection in 
> a plugin. He used that injection to identify an administrative 
> account, then requested a password reset using the form, and then used 
> the injection to retrieve the user_activation_key. Because the key is 
> not hashed, he was able to immediately log in, without having to spend 
> any time trying to break the password hash.
>
> Without finding an SQL injection or arbitrary code execution 
> vulnerability, this is not too much of an issue. But having found one 
> of those things, WordPress generating and setting an unhashed password 
> for the account (which is what it boils down to) makes obtaining 
> unauthorised access very much easier.
>
> I think this is a straightforward enough thing to fix, and I'm happy 
> to jump in and do it. But I thought it might be sensible to consult 
> this list before I go and spend time making a patch for a trac ticket.
>
> What do people (and in particular, core committers) think about this? 
> Is a sensible patch likely to be accepted?
>
> Cheers,
>
> Harry
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list