[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Tue Dec 11 19:19:01 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by ryan):
Replying to [comment:42 sjmurdoch]:
> Replying to [comment:41 ryan]:
> > Even with a block cipher we still have to worry about someone getting
the key if it is stored in the DB, yes?
>
> The rough idea I was thinking of is storing the encrypted hash of the
password in the cookie, and the double hash in the database. Then if an
attacker can read the key and double-hash, they can still not generate a
valid cookie.
Double hashing the password stored in the DB makes it hard to interop with
things like mod_auth_mysql, yes? I'm not sure if portable phpass hashes
are supported as is. wp_hash_password() and wp_check_password() could be
replaced with something that mod_auth_mysql can handle, but requiring a
double hash in the DB could foil that.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:43>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list