[wp-hackers] Rethinking check_admin_referer()

Sam Angove sam at rephrase.net
Sat Apr 22 04:02:51 GMT 2006

Brian Layman wrote:
>The first thing is that Owen encrypts using both the DB password AND the
> current user password.
If that's the case then I apologize for wasting everyone's time. In
the nonce.2.diff patch on trac, it's this:

   md5($end . DB_PASS . $action . $uid);

I don't see a user password there.

Also: DB_PASS is actually undefined; I think we want DB_PASSWORD. ;)

(On that note, Robert, the nonce you posted thinks your password is
the string 'DB_PASS'.)

On 4/22/06, Robert Deaton <false.hopes at gmail.com> wrote:
> Like I said before, people with access to your blog should be "trusted
> users" as someone said earlier. If you can't trust the users on your
> blog, you have bigger issues at hand.

There's an option for user registration. If untrusted users shouldn't
be registered, that option needs to be removed.

> a rainbow table, that happens to be
> prepended with a five digit integer and augmented with a 1-2 digit
> integer, now this I'd like to see.

Oh man, I don't know what I was thinking. /me smacks self. Maybe
against people with 2-character DB passwords... ;)

> This would be self-admission of trolling, imho.

No, this would be an admission that I'm not a kook who's going to fly
off the handle and start scare-mongering all over the place if it
isn't changed.

> Any extra salt is going to
> come with the same exact criticism as having DB_PASS as salt.

Well yeah, but it'd take exponentially longer to break.

> This is also something that has to be propogated on every WP admin
> action, and so anything that adversely affects performance is a -1, we
> get enough complaints of how bad WP damages servers and buckles under
> load as it is. We're playing in a world where 17ms makes a human
> perceptible difference in the loading time.

In the benchmark I just ran, one md5() took ~0.007ms. YMMV, but to me
it doesn't look like a problem.

More information about the wp-hackers mailing list