[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Fri Apr 21 22:11:14 GMT 2006

On 4/21/06, Doug Stewart <dstewart at atl.lmco.com> wrote:
> It's quick and Relatively Good Enough for operations (like in this case)
> whose timeframe for expiration are far shorter than the time it would
> take to crack the hash itself.  Although, the Wikipedia article Robert
> linked to does point out a lot of the shortcomings with MD5.  Why don't
> we use sha1() instead?


sha1() is >=4.3.0 only, compat functions would be incredibly slow.

Besides that, the shortcomings of md5 are tiny and irrelevant in this
case, where all we need is a hash. Even though collisions can be
generated relatively quickly for MD5 now, we don't have to worry,
because even if someone somehow found one of our nonces, a collision
for that nonce is useless toward cracking anything, because our hash
is munged with a 5 digit integer, the database password, and the
user_id of the person the hash is for. There is currently (and
probably never will be) a way to isolate a tiny bit of the source
string even if the time and the user id were known, or to generate a
collision on only part of the source string, so the issues are
unfounded (but is a valid point for switching our passwords to sha1,
however this is a different thread).

--Robert Deaton

More information about the wp-hackers mailing list