[wp-hackers] Wordpress Cookie Authentication Vulnerability
Jacob
wordpress at santosj.name
Thu Nov 22 05:39:29 GMT 2007
I agree that this should move from discussions on how to do it to
actually doing something.
What Travis Snoozy said is accurate, WordPress has a salt and hashing
function now (last two functions in pluggable.php) also most of what you
need is contained in pluggable.php also.
The only thing you would need to do to create a permanent user id, is:
1. Override the wp_get_cookie_login() function since it has to return
the clear text username and MD5 password. Really, this step is not
required if you hook into the wp_authenticate action and reference the
two parameters to get the username and password.
2. wp_setcookie() function needs to be overwritten, since it does the
double hashing of the password. Using the method [1] described in the
ticket [2], I would say that it should be this method. Whether or not
the session id is given is up in the air (
session_set_cookie_params(31536000, COOKIEPATH);
session_start();
), then use the session id in the with the method.
3. wp_clearcookie(), only if you replace USER_COOKIE and PASS_COOKIE
with something else in the plugin or core.
In which case, it could be entirely possible to use
session_set_cookie_params and sessions completely instead of setting the
username and password in the cookie and keep the session for as long as
the user doesn't sign out or destroy is the visitor isn't signed in (no
reason to keep session for as long as the cookie.
I say, two such plugins are in order. One which takes the complete
session based approach for those whose hosts don't suck and the other
which still uses the cookie approach.
4. In registration.php, wp_insert_user() would have to be used to use
wp_hash(). However, this step is something entirely different and not
part of the issue. However, I would rather like it if I could say, use
MySQL AES instead to encrypt the password, which from what I can see, I
can't really do (haven't looked at wp_register.php).
--
Jacob Santos
http://www.santosj.name - blog
http://wordpress.svn.dragonu.net/unittest/ - unofficial WP unit test suite.
Also known as darkdragon and santosj on WP trac.
More information about the wp-hackers
mailing list