[wp-hackers] Security Vulnerability found

Mark Jaquith mark.wordpress at txfx.net
Wed Apr 13 21:21:37 GMT 2005

Robert Deaton wrote:

> The way I see this, it is entirely silly that someone would post such 
> a vunerability.
> As far as Denis' comments, if I remember correctly passwords are 
> stored as a double hashed md5, which would be very tiresome to 
> reverse, although it would still be possible, but this isn't the way a 
> person would go about stealing accounts imho. As far as IP address 
> checking, it inadvertantly defeats the purpose of cookies for those 
> who are on dialup or an ISP that changes IP addresses constantly. As 
> far as optionally logging off after a certain period, WordPress 
> already does it, although it is a very long period. If someone leaves 
> their blog logged in at a cybercafe, there's not much that can be done 
> to help, except moving to sessions so that when the browser is closed 
> the session is destroyed. I had a working hacked together session 
> script, but its been lost in my clutter, but maybe it is something we 
> should consider and do like many sites do by having a checkbox to use 
> sessions if at a public terminal.

Jennifer suggested this back in October: 

I think a "Remember me" checkbox on login would be really useful.  It's 
worked well for Movable Type.  I'm just always afraid that I'm going to 
log in at a public place and forget to log out.

More information about the wp-hackers mailing list