[wp-hackers] Rethinking check_admin_referer()
Brian at TheCodeCave.com
Sat Apr 22 04:18:59 GMT 2006
>If that's the case then I apologize for wasting everyone's time. In the
nonce.2.diff patch on trac, it's this:
>md5($end . DB_PASS . $action . $uid);
>I don't see a user password there.
You, sir, are correct. I saw what I wanted to see. That's not the
hashed UserPW, but the user ID. The hashed PW would be more secure of
course, but the DB_Password will still be a difficult item to guess at.
Is there anyone here that was assigned a simple single word MySQL DB
password by their shared server host?
More information about the wp-hackers