[wp-hackers] Wordpress Cookie Authentication Vulnerability
Seth Chromick
seth at thenextwave.biz
Tue Nov 20 18:15:23 GMT 2007
I was going to mention salting the password, but it seems that isn't
necessarily the core problem.
http://trac.wordpress.org/ticket/2394
http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/
Peter Westwood wrote:
> On Tue, November 20, 2007 5:42 pm, Bas Bosman wrote:
>
>>> Is there any reason in particular WP is using MD5 as opposed to a
>>> stronger algorithm?
>>>
>> Yes, because WordPress still supports PHP 4.2, which doesn't really have
>> any good support for a stronger algorithm.
>>
>> But as mentioned in the Trac ticket. MD5 isn't the issue here. The issue
>> is that we have a guessable cookie, based on read-only database access or
>> non-ssl network sniffing.
>>
>> I think Otto gave a nice overview of a possible solution. Which can
>> optionally be enhanced by linking login cookies to ip-adresses to further
>> minimize the chances of cookie stealing. (Mark the optional, because it
>> can have unwanted side-effects in some network setups)
>>
>>
>
> This solution sounds good.
>
> IP Address linking has to be optional plugin material because a large
> portion of the WordPress userbase will be in one of those strange network
> setups - like the AOL multiple proxy setup where you get a different proxy
> for each HTTP request quite often.
>
>
More information about the wp-hackers
mailing list