[wp-hackers] Security Vulnerability found
Robert Deaton
false.hopes at gmail.com
Wed Apr 13 20:17:30 GMT 2005
The way I see this, it is entirely silly that someone would post such a
vunerability.
As far as Denis' comments, if I remember correctly passwords are stored as a
double hashed md5, which would be very tiresome to reverse, although it
would still be possible, but this isn't the way a person would go about
stealing accounts imho. As far as IP address checking, it inadvertantly
defeats the purpose of cookies for those who are on dialup or an ISP that
changes IP addresses constantly. As far as optionally logging off after a
certain period, WordPress already does it, although it is a very long
period. If someone leaves their blog logged in at a cybercafe, there's not
much that can be done to help, except moving to sessions so that when the
browser is closed the session is destroyed. I had a working hacked together
session script, but its been lost in my clutter, but maybe it is something
we should consider and do like many sites do by having a checkbox to use
sessions if at a public terminal.
On 4/13/05, David Chait <davebytes at comcast.net> wrote:
>
> How about making the user-level below which the restriction is in effect
> be a dropdown list in the options somewhere... and have the lowest be 2, so
> no 'accidents'.
> -d
>
> ----- Original Message -----
> *From:* Amit Gupta <amit at igeek.info>
> *To:* wp-hackers at lists.automattic.com
> *Sent:* Wednesday, April 13, 2005 2:58 PM
> *Subject:* Re: [wp-hackers] Security Vulnerability found
>
> "Matthew Mullenweg" <m at mullenweg.com> wrote:
> > That said, I think a default feature restricting users lower than level
> > 8 to a known subset of HTML would be useful, and will be including a
> > future release. A while back Mark Ghosh created the giant array that
> > KSES needs to accomplish this, I'm sure he (or I) still have it
> > somewhere.
> I'd say, make that optional. I've got a multi-author blog but
> I don't want everyone access to admin functions. So I've all
> of them on level 2 & some on level 5(sub-admins).
> But I want them to be able to post any HTML they want as they
> are trusted that much. :)
>
>
> -----
> Amit Gupta
>
> || Canned!! -- my Atropine <http://blog.igeek.info/> || iG:Syntax Hiliter
> v2.01<http://blog.igeek.info/still-fresh/2004/11/22/igsyntax-hiliter-2-final/>||
> || iGEEK.INFO <http://www.igeek.info/> || Free Nokia Ringtones<http://www.igeek.info/ringtones.php>|| Online
> Gaming @ Games Planet <http://www.igeek.info/games.php> ||
>
> ------------------------------
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>
--
--Robert Deaton
http://somethingunpredictable.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050413/87429eb1/attachment-0001.html
More information about the wp-hackers
mailing list