[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Tue Nov 20 16:32:20 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
In case I wasn't clear, I should point out that MD5 is '''not''' the
problem here. Switching to SHA-1 will leave Wordpress vulnerable to
precisely the same issues. Although MD5 is vulnerable to collisions from
carefully crafted input, this is not an issue for Wordpress's use.
I think the optimum solution would be to use an existing scheme, and
preferably a well-audited library for handling authentication and cookie
management. Is there really nothing out these which does the job. I'm not
a PHP programmer, but it seems that what Wordpress needs is a very common
requirement.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:8>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list