[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Wed Jan 9 16:40:10 GMT 2008
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.5
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by ryan):
Replying to [comment:72 sambauers]:
> Am I missing something or is the SECRET_KEY now not doing anything at
all?
>
> wp_salt() defines $secret_key from SECRET_KEY on lines 713 - 715 of
pluggable.php, but then doesn't concatenate it with $salt
Fixed.
> Also, should some value be auto-generated for $secret_key if there is no
SECRET_KEY defined or do we just rely on the DB based secret in that case?
Anything auto-generated would need to be DB based since we can't assume
file write privs. We don't need two values stored in the DB, so if there
is no secret key just using the salt is fine.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:74>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list