[wp-hackers] Hashing user_activation_key in the database

Mika Epstein ipstenu at ipstenu.org
Thu Jun 13 12:58:23 UTC 2013


If the injection came via a plugin, can you also email the plugin name and details to plugins AT Wordpress.org please?

On Jun 13, 2013, at 4:06 AM, Harry Metcalfe <harry at dxw.com> wrote:

> PS: I tried to write a plugin to fix this in the interim but suitable filters do not exist. That might also be a good thing to consider adding, or making pluggable.
> 
> 
> On 13/06/13 12:05, Harry Metcalfe wrote:
>> Hello all,
>> 
>> During a recent penetration test, the tester found an SQL injection in a plugin. He used that injection to identify an administrative account, then requested a password reset using the form, and then used the injection to retrieve the user_activation_key. Because the key is not hashed, he was able to immediately log in, without having to spend any time trying to break the password hash.
>> 
>> Without finding an SQL injection or arbitrary code execution vulnerability, this is not too much of an issue. But having found one of those things, WordPress generating and setting an unhashed password for the account (which is what it boils down to) makes obtaining unauthorised access very much easier.
>> 
>> I think this is a straightforward enough thing to fix, and I'm happy to jump in and do it. But I thought it might be sensible to consult this list before I go and spend time making a patch for a trac ticket.
>> 
>> What do people (and in particular, core committers) think about this? Is a sensible patch likely to be accepted?
>> 
>> Cheers,
>> 
>> Harry
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list