[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Mon Nov 19 22:27:54 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-----------------------+----------------------------------------------------
Reporter: sjmurdoch | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: |
-----------------------+----------------------------------------------------
Changes (by sjmurdoch):
* cc: sjmurdoch (added)
Comment:
The phpass library looks like a reasonable basis for password hashing.
That PHP encryption algorithm looks like something from the 19th century,
and is almost certainly broken. Ignore it.
Is there really nothing better than MD5 to use? For hashing SHA-1 is
better and some proper symmetric block ciphers would also be useful.
The scheme I was thinking of is something along the lines of storing
salt,H(crypted salted password) in the database and in the cookie storing
E(user id,crypted salted password,start time) and its HMAC; where H is the
hash and E, HMAC are encryption and authentication under site-specific
keys.
This means that given the contents of the database, the attacker cannot
create a valid cookie as you can't go from H(crypted salted password) to
crypted salted password. Also, since the crypted salted password is
encrypted it is infeasible to brute force the password given only a
cookie. Setting a start time means that cookies can be expired and this
timestamp can't be modified due to the HMAC.
This is just an initial idea and more refinement and analysis are needed,
but that's a rough outline.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list