[wpmu-trac] [WordPress MU Trac] #1014: wp_salt incorrectly setting salt when $scheme='secure_auth'
WordPress MU Trac
wpmu-trac at lists.automattic.com
Mon Jul 6 02:33:04 UTC 2009
#1014: wp_salt incorrectly setting salt when $scheme='secure_auth'
----------------------+-----------------------------------------------------
Reporter: Jason_Jm | Owner: somebody
Type: defect | Status: new
Priority: highest | Milestone: 2.7.1
Component: Security | Version: 2.7.1
Severity: critical | Keywords: Salt, Secure, Auth, 2.7.1, Integration
----------------------+-----------------------------------------------------
This bug makes things less secure as the salt is always static :-)
Because this is a security issue with production code I feel it necessary
to flag this with high importance.
I understand that the 2.8 Merge is happening and with 2.8 being beta many
here are forced to run 2.7.1 in a production environment. The show
stopper is when integrating with bbpress with subdomains AND SSL. Thats
how I found this one.
(Note: Integration will require a patched bbpress-integration.php to flag
'$secure' properly. Take a trip to bbpress.org for that info dear
readers.)
wp_salt incorrectly setting salt when $scheme='secure_auth'. Patch dumps
the 'SECRET_AUTH_SALT' for 'SECURE_AUTH_SALT'.
<patch>
# This is a UTF-8 patch. Pay attention to the directory listing below,
# modify if necessary.
# - Jason Giedymin - AcronymLabs.com
--- wordpress-mu\wp-includes\pluggable.php
+++ wordpress-mu\wp-includes\pluggable.php
@@ -1257,7 +1257,7 @@
$secret_key = SECURE_AUTH_KEY;
if ( defined('SECURE_AUTH_SALT') ) {
- $salt = SECRET_AUTH_SALT;
+ $salt = SECURE_AUTH_SALT; //2.7.1 $salt =
SECRET_AUTH_SALT;
} else {
$salt = get_option('secure_auth_salt');
if ( empty($salt) ) {
</patch>
--
Ticket URL: <http://trac.mu.wordpress.org/ticket/1014>
WordPress MU Trac <http://mu.wordpress.org/>
WordPress Multiuser
More information about the wpmu-trac
mailing list