[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Tue Dec 11 19:19:01 GMT 2007

#5367: Wordpress cookie authentication vulnerability
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.4     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
Comment (by ryan):

 Replying to [comment:42 sjmurdoch]:
 > Replying to [comment:41 ryan]:
 > > Even with a block cipher we still have to worry about someone getting
 the key if it is stored in the DB, yes?
 > The rough idea I was thinking of is storing the encrypted hash of the
 password in the cookie, and the double hash in the database. Then if an
 attacker can read the key and double-hash, they can still not generate a
 valid cookie.

 Double hashing the password stored in the DB makes it hard to interop with
 things like mod_auth_mysql, yes? I'm not sure if portable phpass hashes
 are supported as is.  wp_hash_password() and wp_check_password() could be
 replaced with something that mod_auth_mysql can handle, but requiring a
 double hash in the DB could foil that.

Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:43>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list