Cryptographic splicing makes for a Wordpress vulnerability
Posted May 9, 2008 16:47 UTC (Fri) by giraffedata
In reply to: Cryptographic splicing makes for a Wordpress vulnerability
Parent article: Cryptographic splicing makes for a Wordpress vulnerability
The explanation misses a lot of details.
I'm wondering how the hacker makes the expiration string "bar20080507". Does the client choose the expiration string? That seems like something the server would do.
Also, the article doesn't really explain what an authentication cookie is, but I presume it's something the server sends to a client that has provided a valid password so that knowing that cookie in the future can stand for knowing the password. And for some reason that's better than just having the password as a cookie.
to post comments)