[wp-hackers] Rethinking check_admin_referer()
Robert Deaton
false.hopes at gmail.com
Sat Apr 22 02:23:33 GMT 2006
On 4/21/06, Sam Angove <sam at rephrase.net> wrote:
> On 4/22/06, Owen Winkler <ringmaster at midnightcircus.com> wrote:
> >
> > I don't mind criticism, but I'm not keen on people alluding to severe
> > security issues like revealing the database password without having
> > something other than raw speculation to back it up. Patch in this diff
> > and test it, and when you find the vulnerability you're worried about,
> > then we'll talk.
>
> For token `md5($end . DB_PASS . $action . $uid)`, can't you do:
>
> foreach ($dictionary as $word) {
> if (md5($known_time . $word . $known_action . $known_uid) == $known_nonce) {
> echo "omg! the db password is $word !!!1";
> }
> }
>
a nonce: efa6f570e5736800e6ef28783c15fc41
the action: deletepost
the time: Fri Apr 21, 10:20:53 PM EDT
my UID: 1
Please, take down my site once you have cracked my database password.
*Hibernates for 20 years*
--
--Robert Deaton
http://somethingunpredictable.com
More information about the wp-hackers
mailing list