[wp-trac] [WordPress Trac] #38474: wp_signups.activation_key stores activation keys in plain text
WordPress Trac
noreply at wordpress.org
Tue Oct 10 17:15:27 UTC 2017
#38474: wp_signups.activation_key stores activation keys in plain text
-------------------------+------------------------
Reporter: tomdxw | Owner: bor0
Type: enhancement | Status: assigned
Priority: normal | Milestone: 5.0
Component: Security | Version: 4.6.1
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: multisite
-------------------------+------------------------
Changes (by jeremyfelt):
* keywords: has-patch => needs-patch
* owner: => bor0
* status: new => assigned
* milestone: Awaiting Review => 5.0
Comment:
Thanks for opening a ticket, @tomdxw.
In the future, if you believe you are reporting a security vulnerability,
please follow the guidelines at
https://make.wordpress.org/core/handbook/testing/reporting-security-
vulnerabilities/. With the text entered in the original issue, there
should have also been a required check-box input confirming that a
security vulnerability was not being reported.
That said, this is an area that could use some hardening and is okay to be
fixed as a public ticket. I don't believe a CVE is necessary. See #24783
as an example of a related issue that has been addressed publicly in the
past. Ideally we'll be able to use a similar fix to help communicate the
activation key change to any pending users.
@bor0 - Thank you for the initial patch. I think you're on the right path.
It'd be good if we can resolve this without the addition of another
parameter on the URL (`signup_id`). See [25696] for an example of how
we've handled an old format and new format at the same time. Using the
plain text key in the activation URL is okay because we can compare it
with an old or new (hashed) version in the DB. I'm going to assign
ownership of the ticket to you and will happily review ongoing patches. :)
I'm going to put this in the 5.0 milestone for now, though we may be able
to ship it as part of a 4.9.1 release with the right progress.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38474#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list