[wp-hackers] Hashing user_activation_key in the database
Harry Metcalfe
harry at dxw.com
Thu Jun 13 11:06:00 UTC 2013
PS: I tried to write a plugin to fix this in the interim but suitable
filters do not exist. That might also be a good thing to consider
adding, or making pluggable.
On 13/06/13 12:05, Harry Metcalfe wrote:
> Hello all,
>
> During a recent penetration test, the tester found an SQL injection in
> a plugin. He used that injection to identify an administrative
> account, then requested a password reset using the form, and then used
> the injection to retrieve the user_activation_key. Because the key is
> not hashed, he was able to immediately log in, without having to spend
> any time trying to break the password hash.
>
> Without finding an SQL injection or arbitrary code execution
> vulnerability, this is not too much of an issue. But having found one
> of those things, WordPress generating and setting an unhashed password
> for the account (which is what it boils down to) makes obtaining
> unauthorised access very much easier.
>
> I think this is a straightforward enough thing to fix, and I'm happy
> to jump in and do it. But I thought it might be sensible to consult
> this list before I go and spend time making a patch for a trac ticket.
>
> What do people (and in particular, core committers) think about this?
> Is a sensible patch likely to be accepted?
>
> Cheers,
>
> Harry
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list