[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Sat Dec 1 15:05:21 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by westi):
Replying to [comment:22 sjmurdoch]:
> Replying to [comment:18 westi]:
> > I've uploaded a first pass patch for auth cookies
>
> It looks like the cookie is of the form:
>
{{{md5(DB_PASSWORD.DB_USER.DB_NAME.DB_HOST.ABSPATH.$username.uniqid(microtime())}}}
> and the hash of this is stored in the database.
>
> If uniqid() isn't unpredictable, it would be possible to brute force the
database password (the rest of the fields are pretty easy to guess in most
situations). How secure is uniqid() in this usage?
>
> Is there a better way to get unpredictable pseudorandom numbers?
That is the current cookie format in this patch.
It is in no way intended to be the final format - I just wanted something
which would generate a hopefully unique cookie per-user for testing the
infrastructure changes with WordPress - splitting out the login handling
from the cookie verification
We do need to analyse the predictability of the cookies and ideally find a
good available source of entropy for our random numbers
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:24>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list