[wp-trac] [WordPress Trac] #6754: Improve default wp_salt()
WordPress Trac
wp-trac at lists.automattic.com
Wed Apr 16 19:04:30 GMT 2008
#6754: Improve default wp_salt()
----------------------+-----------------------------------------------------
Reporter: filosofo | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.6
Component: General | Version:
Severity: normal | Keywords: SECRET_KEY wp_salt security
----------------------+-----------------------------------------------------
As pointed out
[http://www.securityfocus.com/archive/1/490887/30/0/threaded here], if
someone gets the salt from db and SECRET_KEY is default or blank, the
password security is no better off than it was in 2.3.3.
My patch adds a md5 hash of the time wp-config.php was last modified and
the database password, as a prefix to the secret key. Neither should be
available just from obtaining a database dump, and particularly the time
wp-config.php was last modified should be difficult to determine, so that
should reduce the effectiveness of such an attack as described above.
--
Ticket URL: <http://trac.wordpress.org/ticket/6754>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list