[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Mon Dec 10 22:12:35 GMT 2007

#5367: Wordpress cookie authentication vulnerability
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.4     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
Comment (by ryan):

 Replying to [comment:40 sjmurdoch]:
 > Replying to [comment:39 ryan]:
 > > We could incorporate your session key stuff into the currently unused
 data field of the cookie.  Store a random key in the cookie and store the
 hash of that key in the DB.  But, that brings us back to allowing only one
 session at at time and requiring a DB write for every successful login
 > I think it is possible to do better, but it could involve a bit of
 tricky cryptography. With only MD5 it will take more work, but it is
 possible to turn any hash function into a block cipher. I'm not sure if
 I'll have enough time this week to write it up properly though.

 Even with a block cipher we still have to worry about someone getting the
 key if it is stored in the DB, yes?

 If a block cipher would indeed help prevent cookies being created from DB
 information, we could always make it an optional bit of extra security we
 add if mcrypt is available.  If mcrypt is not available, the cookie
 doesn't get that extra bit of security.  If we do want to provide a fall
 back for when mcrypt is not available, I found this.  Don't know if it's
 any good.


 > > > What are the timeouts on the cookies it looks like 2 days or 14 days
 if I do my maths right - would we not do better with a shorter expiry time
 and resetting the cookie on every admin page access with a new expiry.
 > >
 > > Wouldn't that allow replaying an old cookie to get a new cookie with a
 fresh expiry?
 > A variant is to only allow auto-extension of valid cookies, so it means
 that really old ones won't work. That still means that if someone steals a
 cookie and uses it promptly, it will be possible to keep renewing it. I
 still think it is better to have a hard limit on cookie expiration, so
 someone with a cookie and no password will eventually get locked out.

 I'd rather have a hard limit too.  A reasonable timeout coupled with a
 grace period to allow POSTs to complete seems user friendly enough.

Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:41>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list