[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Wed Dec 19 06:30:42 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sambauers):
So if I understand correctly, for bbPress (or any other program that wants
to integrate) to be able to read the cookies which are now produced it
needs to know the SECRET_KEY set in wp-config.php *and* the "secret" in
the options table as well.
Just because I have to ask... :)
How critical is it that we have the "secret" option as well as the
SECRET_KEY? I would have thought the stronger phpass hashing would make
that second secret unnecessary?
I don't mean to harp on this, it's just that a lot of support issues for
bbPress centre around integration and needing to retrieve the "secret"
option from the raw database makes it even more onerous to implement
cookie sharing.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:59>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list