[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Sat Apr 22 00:15:26 GMT 2006


On 4/21/06, Paul Mitchell <wp-hackers at paul-mitchell.me.uk> wrote:
> Given that WordPress is multi-user, nonces will be available to anyone
> entrusted with access to so-protected admin functions by the blog owner,
> who is presumably also the sole knower of the database password.

"entrusted with access" are some key words here. If you don't trust
your users not to bring down your site, do not give them access.

> I probably don't appreciate the scale of effort required to extracting
> data from nonces, but was the blog database password subject to
> cryptographic attack, theoretical or otherwise, prior to the
> introduction of the nonce? It was the use of the database password for
> something other than connecting to the database that caught my eye in
> the first place.

DB_PASS has been used as salt in various places. At one point (I don't
remember if it still is, but) it was used in cron, its used in the db
backup plugin, its used in the persistant options cache. This risk is
infinitely small.

--
--Robert Deaton
http://somethingunpredictable.com


More information about the wp-hackers mailing list