[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 20 18:17:37 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by ryan):
sjmurdoch, we can remove DB info from the secret key then. People will
just have change their SECRET_KEY to get extra protection.
sambauers, we could have a SECRET_SALT define that overrides the secret in
the DB to aid integrators. We create a random "secret" in the DB to make
up for the fact that most people won't change SECRET_KEY. Integrators will
have to change keys, so we can do without the secret in the DB. phpass,
BTW, plays no role in the cookie protocol. phpass and password hashing
are a separate consideration.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:61>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list