[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text

WordPress Trac noreply at wordpress.org
Tue Oct 10 17:15:27 UTC 2017


#38474: wp_signups.activation_key stores activation keys in plain text
-------------------------+------------------------
 Reporter:  tomdxw       |       Owner:  bor0
     Type:  enhancement  |      Status:  assigned
 Priority:  normal       |   Milestone:  5.0
Component:  Security     |     Version:  4.6.1
 Severity:  normal       |  Resolution:
 Keywords:  needs-patch  |     Focuses:  multisite
-------------------------+------------------------
Changes (by jeremyfelt):

 * keywords:  has-patch => needs-patch
 * owner:   => bor0
 * status:  new => assigned
 * milestone:  Awaiting Review => 5.0


Comment:

 Thanks for opening a ticket, @tomdxw.

 In the future, if you believe you are reporting a security vulnerability,
 please follow the guidelines at
 https://make.wordpress.org/core/handbook/testing/reporting-security-
 vulnerabilities/. With the text entered in the original issue, there
 should have also been a required check-box input confirming that a
 security vulnerability was not being reported.

 That said, this is an area that could use some hardening and is okay to be
 fixed as a public ticket. I don't believe a CVE is necessary. See #24783
 as an example of a related issue that has been addressed publicly in the
 past. Ideally we'll be able to use a similar fix to help communicate the
 activation key change to any pending users.

 @bor0 - Thank you for the initial patch. I think you're on the right path.
 It'd be good if we can resolve this without the addition of another
 parameter on the URL (`signup_id`). See [25696] for an example of how
 we've handled an old format and new format at the same time. Using the
 plain text key in the activation URL is okay because we can compare it
 with an old or new (hashed) version in the DB. I'm going to assign
 ownership of the ticket to you and will happily review ongoing patches. :)

 I'm going to put this in the 5.0 milestone for now, though we may be able
 to ship it as part of a 4.9.1 release with the right progress.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list