[wp-hackers] Hashing user_activation_key in the database

Sinan sinan at sinanisler.com
Thu Jun 13 16:32:57 UTC 2013


How much people download that plugin? Dont say name. I just wanna know is
it popular plugin.


2013/6/13 Harry Metcalfe <harry at dxw.com>

> Yup, that was done at the time.
>
> H
>
>
>
> On 13/06/13 13:58, Mika Epstein wrote:
>
>> If the injection came via a plugin, can you also email the plugin name
>> and details to plugins AT Wordpress.org please?
>>
>> On Jun 13, 2013, at 4:06 AM, Harry Metcalfe <harry at dxw.com> wrote:
>>
>>  PS: I tried to write a plugin to fix this in the interim but suitable
>>> filters do not exist. That might also be a good thing to consider adding,
>>> or making pluggable.
>>>
>>>
>>> On 13/06/13 12:05, Harry Metcalfe wrote:
>>>
>>>> Hello all,
>>>>
>>>> During a recent penetration test, the tester found an SQL injection in
>>>> a plugin. He used that injection to identify an administrative account,
>>>> then requested a password reset using the form, and then used the injection
>>>> to retrieve the user_activation_key. Because the key is not hashed, he was
>>>> able to immediately log in, without having to spend any time trying to
>>>> break the password hash.
>>>>
>>>> Without finding an SQL injection or arbitrary code execution
>>>> vulnerability, this is not too much of an issue. But having found one of
>>>> those things, WordPress generating and setting an unhashed password for the
>>>> account (which is what it boils down to) makes obtaining unauthorised
>>>> access very much easier.
>>>>
>>>> I think this is a straightforward enough thing to fix, and I'm happy to
>>>> jump in and do it. But I thought it might be sensible to consult this list
>>>> before I go and spend time making a patch for a trac ticket.
>>>>
>>>> What do people (and in particular, core committers) think about this?
>>>> Is a sensible patch likely to be accepted?
>>>>
>>>> Cheers,
>>>>
>>>> Harry
>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>>
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>
> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>



-- 
Sinan İŞLER
sinanisler.com <http://www.sinanisler.com>
fb.com/sinanisler


More information about the wp-hackers mailing list