[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Sun Dec 2 20:51:04 GMT 2007

#5367: Wordpress cookie authentication vulnerability
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.4     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
Comment (by sjmurdoch):

 Replying to [comment:26 ryan]:
 > The recipes using HMAC look good, however hash_hmac() is available only
 in recent PHP versions. We'll have to fall back to something else when it
 isn't available.

 It is quite straightforward to build HMAC out of a hash function, and even
 using MD5 is OK for this because HMAC is not vulnerable to collision
 attacks. The Wikipedia article [http://en.wikipedia.org/wiki/HMAC on HMAC]
 shows how it is constructed. So I wouldn't let this be an impediment.

 This is still more complicated than building sessions, and importantly if
 the attacker gets access to the database and key, he can still log in as
 any user. So while it fixes the expiry issues it will not completely stop
 the problem that this ticket is about.

Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:27>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list