[wp-hackers] Hashing user_activation_key in the database
Harry Metcalfe
harry at dxw.com
Fri Jun 14 09:35:15 UTC 2013
It's quite popular, but it's already been patched and a new version
released. So if you're up to date you'll be fine.
Harry
On 13/06/13 17:32, Sinan wrote:
> How much people download that plugin? Dont say name. I just wanna know is
> it popular plugin.
>
>
> 2013/6/13 Harry Metcalfe <harry at dxw.com>
>
>> Yup, that was done at the time.
>>
>> H
>>
>>
>>
>> On 13/06/13 13:58, Mika Epstein wrote:
>>
>>> If the injection came via a plugin, can you also email the plugin name
>>> and details to plugins AT Wordpress.org please?
>>>
>>> On Jun 13, 2013, at 4:06 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>>
>>> PS: I tried to write a plugin to fix this in the interim but suitable
>>>> filters do not exist. That might also be a good thing to consider adding,
>>>> or making pluggable.
>>>>
>>>>
>>>> On 13/06/13 12:05, Harry Metcalfe wrote:
>>>>
>>>>> Hello all,
>>>>>
>>>>> During a recent penetration test, the tester found an SQL injection in
>>>>> a plugin. He used that injection to identify an administrative account,
>>>>> then requested a password reset using the form, and then used the injection
>>>>> to retrieve the user_activation_key. Because the key is not hashed, he was
>>>>> able to immediately log in, without having to spend any time trying to
>>>>> break the password hash.
>>>>>
>>>>> Without finding an SQL injection or arbitrary code execution
>>>>> vulnerability, this is not too much of an issue. But having found one of
>>>>> those things, WordPress generating and setting an unhashed password for the
>>>>> account (which is what it boils down to) makes obtaining unauthorised
>>>>> access very much easier.
>>>>>
>>>>> I think this is a straightforward enough thing to fix, and I'm happy to
>>>>> jump in and do it. But I thought it might be sensible to consult this list
>>>>> before I go and spend time making a patch for a trac ticket.
>>>>>
>>>>> What do people (and in particular, core committers) think about this?
>>>>> Is a sensible patch likely to be accepted?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Harry
>>>>> ______________________________**_________________
>>>>> wp-hackers mailing list
>>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>>
>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
>
More information about the wp-hackers
mailing list