[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
 authentication vulnerability
    WordPress Trac 
    wp-trac at lists.automattic.com
       
    Tue Dec 11 12:42:16 GMT 2007
    
    
  
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.4     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
 Replying to [comment:41 ryan]:
 > Even with a block cipher we still have to worry about someone getting
 the key if it is stored in the DB, yes?
 The rough idea I was thinking of is storing the encrypted hash of the
 password in the cookie, and the double hash in the database. Then if an
 attacker can read the key and double-hash, they can still not generate a
 valid cookie.
 > Don't know if it's any good.
 >
 > http://www.jonasjohn.de/snippets/php/md5-based-block-cipher.htm
 It looks a bit weird (it's not CFB, like it says and it's not quite OFB
 either). Maybe it works though, but it needs more thought.
-- 
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:42>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
    
    
More information about the wp-trac
mailing list