[wp-hackers] Wordpress Cookie Authentication Vulnerability
Peter Westwood
peter.westwood at ftwr.co.uk
Tue Nov 20 18:00:52 GMT 2007
On Tue, November 20, 2007 5:42 pm, Bas Bosman wrote:
>> Is there any reason in particular WP is using MD5 as opposed to a
>> stronger algorithm?
>
> Yes, because WordPress still supports PHP 4.2, which doesn't really have
> any good support for a stronger algorithm.
>
> But as mentioned in the Trac ticket. MD5 isn't the issue here. The issue
> is that we have a guessable cookie, based on read-only database access or
> non-ssl network sniffing.
>
> I think Otto gave a nice overview of a possible solution. Which can
> optionally be enhanced by linking login cookies to ip-adresses to further
> minimize the chances of cookie stealing. (Mark the optional, because it
> can have unwanted side-effects in some network setups)
>
This solution sounds good.
IP Address linking has to be optional plugin material because a large
portion of the WordPress userbase will be in one of those strange network
setups - like the AOL multiple proxy setup where you get a different proxy
for each HTTP request quite often.
--
Peter Westwood <peter.westwood at ftwr.co.uk>
http://blog.ftwr.co.uk
More information about the wp-hackers
mailing list