[wp-hackers] Rethinking check_admin_referer()
false.hopes at gmail.com
Sat Apr 22 03:48:03 GMT 2006
On 4/21/06, David Chait <davebytes at comcast.net> wrote:
> But really, skip the double-md5, just substr to remove some number of
> characters off the hash, should be amazingly fast compared to the original
> md5, and that should make it (nearly) impossible to reverse-crack. (right?)
> No human-perceptible time to a substr (I hope not!), and it makes the hash
> 'incomplete' to a hacker.
I've got no problem with this, but I'll warn in advance of the "nonces
are too short and not varied enough because they're only hexadecimal,
we only have 2^[number of chars we keep] possible combinations, and so
they can be brute forced in only 10 years. Let me raise some hell on
the hackers list over nothing."
> Just imho. Anything to stop the 'here, try to hack my site' emails! ;)
Anything to stop the "look, I can hack your site in 10 years if I can
get a nonce" emails.
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers