[wp-hackers] Wordpress Cookie Authentication Vulnerability

Jacob wordpress at santosj.name
Thu Nov 22 05:39:29 GMT 2007 

I agree that this should move from discussions on how to do it to 
actually doing something.

What Travis Snoozy said is accurate, WordPress has a salt and hashing 
function now (last two functions in pluggable.php) also most of what you 
need is contained in pluggable.php also.

The only thing you would need to do to create a permanent user id, is:

1. Override the wp_get_cookie_login() function since it has to return 
the clear text username and MD5 password. Really, this step is not 
required if you hook into the wp_authenticate action and reference the 
two parameters to get the username and password.

2. wp_setcookie() function needs to be overwritten, since it does the 
double hashing of the password. Using the method [1] described in the 
ticket [2], I would say that it should be this method. Whether or not 
the session id is given is up in the air (

session_set_cookie_params(31536000, COOKIEPATH);
session_start();

), then use the session id in the with the method.

3. wp_clearcookie(), only if you replace USER_COOKIE and PASS_COOKIE 
with something else in the plugin or core.

In which case, it could be entirely possible to use 
session_set_cookie_params and sessions completely instead of setting the 
username and password in the cookie and keep the session for as long as 
the user doesn't sign out or destroy is the visitor isn't signed in (no 
reason to keep session for as long as the cookie.

I say, two such plugins are in order. One which takes the complete 
session based approach for those whose hosts don't suck and the other 
which still uses the cookie approach.

4. In registration.php, wp_insert_user() would have to be used to use 
wp_hash(). However, this step is something entirely different and not 
part of the issue. However, I would rather like it if I could say, use 
MySQL AES instead to encrypt the password, which from what I can see, I 
can't really do (haven't looked at wp_register.php).

-- 

Jacob Santos

http://www.santosj.name - blog
http://wordpress.svn.dragonu.net/unittest/ - unofficial WP unit test suite.

Also known as darkdragon and santosj on WP trac.

More information about the wp-hackers mailing list