[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
 authentication vulnerability
    WordPress Trac 
    wp-trac at lists.automattic.com
       
    Wed Jan  9 16:40:10 GMT 2008
    
    
  
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.5     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
-------------------------------------+--------------------------------------
Comment (by ryan):
 Replying to [comment:72 sambauers]:
 > Am I missing something or is the SECRET_KEY now not doing anything at
 all?
 >
 > wp_salt() defines $secret_key from SECRET_KEY on lines 713 - 715 of
 pluggable.php, but then doesn't concatenate it with $salt
 Fixed.
 > Also, should some value be auto-generated for $secret_key if there is no
 SECRET_KEY defined or do we just rely on the DB based secret in that case?
 Anything auto-generated would need to be DB based since we can't assume
 file write privs.  We don't need two values stored in the DB, so if there
 is no secret key just using the salt is fine.
-- 
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:74>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
    
    
More information about the wp-trac
mailing list