[wp-hackers] Rethinking check_admin_referer()
sam at rephrase.net
Sat Apr 22 04:02:51 GMT 2006
Brian Layman wrote:
>The first thing is that Owen encrypts using both the DB password AND the
> current user password.
If that's the case then I apologize for wasting everyone's time. In
the nonce.2.diff patch on trac, it's this:
md5($end . DB_PASS . $action . $uid);
I don't see a user password there.
Also: DB_PASS is actually undefined; I think we want DB_PASSWORD. ;)
(On that note, Robert, the nonce you posted thinks your password is
the string 'DB_PASS'.)
On 4/22/06, Robert Deaton <false.hopes at gmail.com> wrote:
> Like I said before, people with access to your blog should be "trusted
> users" as someone said earlier. If you can't trust the users on your
> blog, you have bigger issues at hand.
There's an option for user registration. If untrusted users shouldn't
be registered, that option needs to be removed.
> a rainbow table, that happens to be
> prepended with a five digit integer and augmented with a 1-2 digit
> integer, now this I'd like to see.
Oh man, I don't know what I was thinking. /me smacks self. Maybe
against people with 2-character DB passwords... ;)
> This would be self-admission of trolling, imho.
No, this would be an admission that I'm not a kook who's going to fly
off the handle and start scare-mongering all over the place if it
> Any extra salt is going to
> come with the same exact criticism as having DB_PASS as salt.
Well yeah, but it'd take exponentially longer to break.
> This is also something that has to be propogated on every WP admin
> action, and so anything that adversely affects performance is a -1, we
> get enough complaints of how bad WP damages servers and buckles under
> load as it is. We're playing in a world where 17ms makes a human
> perceptible difference in the loading time.
In the benchmark I just ran, one md5() took ~0.007ms. YMMV, but to me
it doesn't look like a problem.
More information about the wp-hackers