[wp-trac] [WordPress Trac] #14803: Admins should be warned if authentication keys and salts have the default phrase
WordPress Trac
wp-trac at lists.automattic.com
Tue Sep 7 15:20:17 UTC 2010
#14803: Admins should be warned if authentication keys and salts have the default
phrase
-------------------------+--------------------------------------------------
Reporter: coffee2code | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords: has-patch
-------------------------+--------------------------------------------------
WordPress already warns admin users if any of the eight authentication
keys/salts are not present in the wp-config.php. (See
`secret_salt_warning()` in wp-admin/includes/ms.php) While performing
that check, WP should also see if any of the keys/salts are using the
default string of "put your unique phrase here".
The default string is pre-set for all eight keys/salts that ship in wp-
config-sample.php. While the inline documentation indicates that those
values should be changed, there is no notice or prompting to alert/remind
the admin if the default string is left intact.
Bear in mind that `wp_salt()` (in wp-includes/pluggable.php) ignores the
keys/salts that use the default phrase or are blank strings, so security
isn't compromised. However, if we want the admins to define secure
phrases in wp-config.php, we should make them aware when that's not the
case.
The attached patch modifies `secret_salt_warning()` to also check that the
keys/salts aren't using the default phrase and aren't blank strings (same
check as done in `wp_salt()`). If any are, the warning message provides a
link to the wordpress.org secret key service.
See the attached image to see an example where I've removed LOGGED_IN_SALT
from wp-config.php (the error message for that is already what WP
generates) and where I've left the default phrase in place for AUTH_KEY
and AUTH_SALT and set NONCE_SALT to '' (triggering the error message added
by the attached patch).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14803>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list