[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Thu Dec 13 11:52:44 GMT 2007

#5367: Wordpress cookie authentication vulnerability
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.4     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
Comment (by DD32):

 Replying to [comment:45 sjmurdoch]:
 > That sounds like a bad idea to me. The database password is too short to
 resist an offline brute force/dictionary attack. If we use it in the
 cookie, anyone could discover the password with a bit of work.

 It'd more than just the password, And its allready in use, If you use
 multiple pieces and do an md5 or so of them, then its unlikely an attacker
 will back-engineer it.
 $this->secret = DB_PASSWORD . DB_USER .

Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:46>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list