[wp-hackers] Rethinking check_admin_referer()

Robert Deaton false.hopes at gmail.com
Sat Apr 22 03:48:03 GMT 2006


On 4/21/06, David Chait <davebytes at comcast.net> wrote:
>
> But really, skip the double-md5, just substr to remove some number of
> characters off the hash, should be amazingly fast compared to the original
> md5, and that should make it (nearly) impossible to reverse-crack. (right?)
> No human-perceptible time to a substr (I hope not!), and it makes the hash
> 'incomplete' to a hacker.

I've got no problem with this, but I'll warn in advance of the "nonces
are too short and not varied enough because they're only hexadecimal,
we only have 2^[number of chars we keep] possible combinations, and so
they can be brute forced in only 10 years. Let me raise some hell on
the hackers list over nothing."

> Just imho.  Anything to stop the 'here, try to hack my site' emails! ;)

Anything to stop the "look, I can hack your site in 10 years if I can
get a nonce" emails.

>
> -d
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


--
--Robert Deaton
http://somethingunpredictable.com


More information about the wp-hackers mailing list