[wp-hackers] Security Vulnerability found

Robert Deaton false.hopes at gmail.com
Wed Apr 13 20:17:30 GMT 2005

The way I see this, it is entirely silly that someone would post such a 

As far as Denis' comments, if I remember correctly passwords are stored as a 
double hashed md5, which would be very tiresome to reverse, although it 
would still be possible, but this isn't the way a person would go about 
stealing accounts imho. As far as IP address checking, it inadvertantly 
defeats the purpose of cookies for those who are on dialup or an ISP that 
changes IP addresses constantly. As far as optionally logging off after a 
certain period, WordPress already does it, although it is a very long 
period. If someone leaves their blog logged in at a cybercafe, there's not 
much that can be done to help, except moving to sessions so that when the 
browser is closed the session is destroyed. I had a working hacked together 
session script, but its been lost in my clutter, but maybe it is something 
we should consider and do like many sites do by having a checkbox to use 
sessions if at a public terminal.

On 4/13/05, David Chait <davebytes at comcast.net> wrote:
> How about making the user-level below which the restriction is in effect 
> be a dropdown list in the options somewhere... and have the lowest be 2, so 
> no 'accidents'.
>  -d
> ----- Original Message ----- 
> *From:* Amit Gupta <amit at igeek.info> 
> *To:* wp-hackers at lists.automattic.com 
> *Sent:* Wednesday, April 13, 2005 2:58 PM
> *Subject:* Re: [wp-hackers] Security Vulnerability found
>  "Matthew Mullenweg" <m at mullenweg.com> wrote:
> > That said, I think a default feature restricting users lower than level 
> > 8 to a known subset of HTML would be useful, and will be including a 
> > future release. A while back Mark Ghosh created the giant array that 
> > KSES needs to accomplish this, I'm sure he (or I) still have it 
> > somewhere.
>  I'd say, make that optional. I've got a multi-author blog but
> I don't want everyone access to admin functions. So I've all
> of them on level 2 & some on level 5(sub-admins).
> But I want them to be able to post any HTML they want as they
> are trusted that much. :)
> -----
> Amit Gupta
> || Canned!! -- my Atropine <http://blog.igeek.info/> || iG:Syntax Hiliter 
> v2.01<http://blog.igeek.info/still-fresh/2004/11/22/igsyntax-hiliter-2-final/>||
> || iGEEK.INFO <http://www.igeek.info/> || Free Nokia Ringtones<http://www.igeek.info/ringtones.php>|| Online 
> Gaming @ Games Planet <http://www.igeek.info/games.php> || 
>  ------------------------------
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--Robert Deaton
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050413/87429eb1/attachment-0001.html

More information about the wp-hackers mailing list