[wp-hackers] Hashing user_activation_key in the database

[Harry Metcalfe]

Hello all,

During a recent penetration test, the tester found an SQL injection in a 
plugin. He used that injection to identify an administrative account, 
then requested a password reset using the form, and then used the 
injection to retrieve the user_activation_key. Because the key is not 
hashed, he was able to immediately log in, without having to spend any 
time trying to break the password hash.

Without finding an SQL injection or arbitrary code execution 
vulnerability, this is not too much of an issue. But having found one of 
those things, WordPress generating and setting an unhashed password for 
the account (which is what it boils down to) makes obtaining 
unauthorised access very much easier.

I think this is a straightforward enough thing to fix, and I'm happy to 
jump in and do it. But I thought it might be sensible to consult this 
list before I go and spend time making a patch for a trac ticket.

What do people (and in particular, core committers) think about this? Is 
a sensible patch likely to be accepted?

Cheers,

Harry