[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Mon Dec 10 20:01:33 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
Replying to [comment:39 ryan]:
> We could incorporate your session key stuff into the currently unused
data field of the cookie. Store a random key in the cookie and store the
hash of that key in the DB. But, that brings us back to allowing only one
session at at time and requiring a DB write for every successful login
attempt.
I think it is possible to do better, but it could involve a bit of tricky
cryptography. With only MD5 it will take more work, but it is possible to
turn any hash function into a block cipher. I'm not sure if I'll have
enough time this week to write it up properly though.
> > What are the timeouts on the cookies it looks like 2 days or 14 days
if I do my maths right - would we not do better with a shorter expiry time
and resetting the cookie on every admin page access with a new expiry.
>
> Wouldn't that allow replaying an old cookie to get a new cookie with a
fresh expiry?
A variant is to only allow auto-extension of valid cookies, so it means
that really old ones won't work. That still means that if someone steals a
cookie and uses it promptly, it will be possible to keep renewing it. I
still think it is better to have a hard limit on cookie expiration, so
someone with a cookie and no password will eventually get locked out.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:40>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list