[wp-hackers] Rethinking check_admin_referer()

Brian Layman Brian at TheCodeCave.com
Sat Apr 22 04:18:59 GMT 2006

>If that's the case then I apologize for wasting everyone's time. In the
nonce.2.diff patch on trac, it's this:
>md5($end . DB_PASS . $action . $uid);
>I don't see a user password there.

You, sir, are correct.  I saw what I wanted to see. That's not the
hashed UserPW, but the user ID.  The hashed PW would be more secure of
course, but the DB_Password will still be a difficult item to guess at.

Is there anyone here that was assigned a simple single word MySQL DB
password by their shared server host?

More information about the wp-hackers mailing list