[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Thu Nov 22 03:32:08 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by Otto42):
Salting the passwords would be nice to prevent dictionary attacks, and
using something other than MD5 would be nice as well, but these won't
solve the problem.
Why are we storing the username and password in cookies at all? Is there
any particular reason that we're not using PHP sessions? With a session,
we could have the username and hashed password remain on the server as
session variables, and the only cookie would be the randomly generated
session ID. No real vulnerability there at all, eh?
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:14>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list