[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Sun Dec 2 20:51:04 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
Replying to [comment:26 ryan]:
> The recipes using HMAC look good, however hash_hmac() is available only
in recent PHP versions. We'll have to fall back to something else when it
isn't available.
It is quite straightforward to build HMAC out of a hash function, and even
using MD5 is OK for this because HMAC is not vulnerable to collision
attacks. The Wikipedia article [http://en.wikipedia.org/wiki/HMAC on HMAC]
shows how it is constructed. So I wouldn't let this be an impediment.
This is still more complicated than building sessions, and importantly if
the attacker gets access to the database and key, he can still log in as
any user. So while it fixes the expiry issues it will not completely stop
the problem that this ticket is about.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:27>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list