[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie authentication vulnerability

WordPress Trac wp-trac at lists.automattic.com
Mon Nov 19 22:27:54 GMT 2007


#5367: Wordpress cookie authentication vulnerability
-----------------------+----------------------------------------------------
 Reporter:  sjmurdoch  |        Owner:  anonymous
     Type:  defect     |       Status:  new      
 Priority:  normal     |    Milestone:  2.4      
Component:  Security   |      Version:  2.3.1    
 Severity:  normal     |   Resolution:           
 Keywords:             |  
-----------------------+----------------------------------------------------
Changes (by sjmurdoch):

 * cc: sjmurdoch (added)

Comment:

 The phpass library looks like a reasonable basis for password hashing.

 That PHP encryption algorithm looks like something from the 19th century,
 and is almost certainly broken. Ignore it.

 Is there really nothing better than MD5 to use? For hashing SHA-1 is
 better and some proper symmetric block ciphers would also be useful.

 The scheme I was thinking of is something along the lines of storing
 salt,H(crypted salted password) in the database and in the cookie storing
 E(user id,crypted salted password,start time) and its HMAC; where H is the
 hash and E, HMAC are encryption and authentication under site-specific
 keys.

 This means that given the contents of the database, the attacker cannot
 create a valid cookie as you can't go from H(crypted salted password) to
 crypted salted password. Also, since the crypted salted password is
 encrypted it is infeasible to brute force the password given only a
 cookie. Setting a start time means that cookies can be expired and this
 timestamp can't be modified due to the HMAC.

 This is just an initial idea and more refinement and analysis are needed,
 but that's a rough outline.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list