[wp-hackers] Hashing user_activation_key in the database
harry at dxw.com
Thu Jun 13 11:05:00 UTC 2013
During a recent penetration test, the tester found an SQL injection in a
plugin. He used that injection to identify an administrative account,
then requested a password reset using the form, and then used the
injection to retrieve the user_activation_key. Because the key is not
hashed, he was able to immediately log in, without having to spend any
time trying to break the password hash.
Without finding an SQL injection or arbitrary code execution
vulnerability, this is not too much of an issue. But having found one of
those things, WordPress generating and setting an unhashed password for
the account (which is what it boils down to) makes obtaining
unauthorised access very much easier.
I think this is a straightforward enough thing to fix, and I'm happy to
jump in and do it. But I thought it might be sensible to consult this
list before I go and spend time making a patch for a trac ticket.
What do people (and in particular, core committers) think about this? Is
a sensible patch likely to be accepted?
More information about the wp-hackers