[wp-hackers] Wordpress Cookie Authentication Vulnerability
Stephane Daury
wordpress at tekartist.org
Tue Nov 20 20:48:50 GMT 2007
Password salting shouldn't be based on a computer generated algorithm
like in the submitted patch.
Anything generated can ultimately be emulated and cracked.
But if that's deemed acceptable, a quick and backward compatible
(PHP4+5) salt is as follow: uniqid(microtime(),true).
The *better* (accepted) way is to use a user generated salt string
instead, like a passphrase in PGP, GPG, etc.
Stephane
On Nov 20, 2007, at 13:15, Seth Chromick wrote:
> I was going to mention salting the password, but it seems that isn't
> necessarily the core problem.
>
> http://trac.wordpress.org/ticket/2394
> http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/
>
>
> Peter Westwood wrote:
>> On Tue, November 20, 2007 5:42 pm, Bas Bosman wrote:
>>
>>>> Is there any reason in particular WP is using MD5 as opposed to a
>>>> stronger algorithm?
>>>>
>>> Yes, because WordPress still supports PHP 4.2, which doesn't
>>> really have
>>> any good support for a stronger algorithm.
>>>
>>> But as mentioned in the Trac ticket. MD5 isn't the issue here. The
>>> issue
>>> is that we have a guessable cookie, based on read-only database
>>> access or
>>> non-ssl network sniffing.
>>>
>>> I think Otto gave a nice overview of a possible solution. Which can
>>> optionally be enhanced by linking login cookies to ip-adresses to
>>> further
>>> minimize the chances of cookie stealing. (Mark the optional,
>>> because it
>>> can have unwanted side-effects in some network setups)
>>>
>>>
>>
>> This solution sounds good.
>>
>> IP Address linking has to be optional plugin material because a large
>> portion of the WordPress userbase will be in one of those strange
>> network
>> setups - like the AOL multiple proxy setup where you get a
>> different proxy
>> for each HTTP request quite often.
>>
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list