[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text

Sun Jan 15 01:17:10 UTC 2017

#38474: wp_signups.activation_key stores activation keys in plain text
---------------------------------+------------------------------
 Reporter:  tomdxw               |       Owner:
     Type:  enhancement          |      Status:  new
 Priority:  normal               |   Milestone:  Awaiting Review
Component:  Security             |     Version:  4.6.1
 Severity:  normal               |  Resolution:
 Keywords:  4.8-early has-patch  |     Focuses:
---------------------------------+------------------------------
Changes (by bor0):

 * keywords:  4.8-early needs-patch => 4.8-early has-patch

Comment:

 Hi,

 The current proposed patch (38474.patch) will implement this feature, with
 additionally providing signup_id to be able to retrieve records from the
 database.

 Example workflow (given a multi-side WordPress setup):
 1. Visit /wp-admin/user-new.php
 2. Fill out the "Add New User" form but do not check the "Skip
 Confirmation Email" checkbox
 3. The user will be sent an email containing a link to /wp-
 activate.php?key=<KEY>&signup_id=<SIGNUP_ID> [[Image(Screen Shot
 2017-01-15 at 02.04.56 AM.png)]]
 4. Check the records in the database
 {{{
 mysql> select * from wp_signups;
 +-----------+--------+------+-------+------------+----------------------+---------------------+---------------------+--------+------------------------------------+--------------------------------------------------------------------+
 | signup_id | domain | path | title | user_login | user_email           |
 registered          | activated           | active | activation_key
 | meta                                                               |
 +-----------+--------+------+-------+------------+----------------------+---------------------+---------------------+--------+------------------------------------+--------------------------------------------------------------------+
 |         1 |        |      |       | testa      | .......... at ......com |
 2017-01-15 01:04:44 | 0000-00-00 00:00:00 |      0 |
 $P$BOEBNJ7xvVIc6JfWQuFzip208ua.5b0 |
 a:2:{s:11:"add_to_blog";s:1:"1";s:8:"new_role";s:10:"subscriber";} |
 +-----------+--------+------+-------+------------+----------------------+---------------------+---------------------+--------+------------------------------------+--------------------------------------------------------------------+
 1 row in set (0.00 sec)
 }}}
 5. When the user clicks the link, they should be able to login (there is a
 check for both signup_id and activation_key in the backend) [[Image(Screen
 Shot 2017-01-15 at 02.06.48 AM.png)]]

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform