[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Thu Dec 20 18:17:37 GMT 2007

#5367: Wordpress cookie authentication vulnerability
 Reporter:  sjmurdoch                |        Owner:  westi   
     Type:  defect                   |       Status:  assigned
 Priority:  normal                   |    Milestone:  2.4     
Component:  Security                 |      Version:  2.3.1   
 Severity:  normal                   |   Resolution:          
 Keywords:  security, password, md5  |  
Comment (by ryan):

 sjmurdoch, we can remove DB info from the secret key then. People will
 just have change their SECRET_KEY to get extra protection.

 sambauers, we could have a SECRET_SALT define that overrides the secret in
 the DB to aid integrators.  We create a random "secret" in the DB to make
 up for the fact that most people won't change SECRET_KEY. Integrators will
 have to change keys, so we can do without the secret in the DB.  phpass,
 BTW, plays no role in the cookie protocol.  phpass and password hashing
 are a separate consideration.

Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:61>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list