[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Mon Dec 10 20:01:33 GMT 2007

#5367: Wordpress cookie authentication vulnerability
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.4     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
Comment (by sjmurdoch):

 Replying to [comment:39 ryan]:
 > We could incorporate your session key stuff into the currently unused
 data field of the cookie.  Store a random key in the cookie and store the
 hash of that key in the DB.  But, that brings us back to allowing only one
 session at at time and requiring a DB write for every successful login

 I think it is possible to do better, but it could involve a bit of tricky
 cryptography. With only MD5 it will take more work, but it is possible to
 turn any hash function into a block cipher. I'm not sure if I'll have
 enough time this week to write it up properly though.

 > > What are the timeouts on the cookies it looks like 2 days or 14 days
 if I do my maths right - would we not do better with a shorter expiry time
 and resetting the cookie on every admin page access with a new expiry.
 > Wouldn't that allow replaying an old cookie to get a new cookie with a
 fresh expiry?

 A variant is to only allow auto-extension of valid cookies, so it means
 that really old ones won't work. That still means that if someone steals a
 cookie and uses it promptly, it will be possible to keep renewing it. I
 still think it is better to have a hard limit on cookie expiration, so
 someone with a cookie and no password will eventually get locked out.

Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:40>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list