Wordpress Cookie Authentication Vulnerability
Wordpress Cookie Authentication Vulnerability
Posted Nov 20, 2007 13:40 UTC (Tue) by drag (guest, #31333)In reply to: Wordpress Cookie Authentication Vulnerability by Los__D
Parent article: Wordpress Cookie Authentication Vulnerability
Because anybody can use the md5sum of the md5sum of the password to gain access to any account there isn't any point to cracking the password. Effectively Wordpress found a way to defete the whole point of using hashes to secure passwords. They could of used all the salt in the world and it wouldn't of mattered. Maybe using 'md5sum[ salt + md5sum[ password ]]' to make the token would of made a difference. But then it would matter exactly how the cookie-based auth token is generated. For instance if the salt was stored in the same database as the password hashes it wouldn't do much good.. if the salt was time based it wouldn't do much good. This sort of thing is a very difficult problem and is why most of the time it's better to use some method that has been developed by security researchers and has been audited by third parties rather then try to make up your own auth systems.
Posted Nov 20, 2007 14:49 UTC (Tue)
by Los__D (guest, #15263)
[Link]
Posted Nov 20, 2007 16:28 UTC (Tue)
by zlynx (guest, #2285)
[Link]
Wordpress Cookie Authentication Vulnerability
This was in response to making the salt a configured value.
Of course, when nobody really needs to care about testing the sums, they could have stored the
passwords bit flipped, and have Wordpress no more unsafe than it is now...
Wordpress Cookie Authentication Vulnerability
What they need to do is either use SSL client certificates, which would be a great idea since
they do exactly what is desired: authenticate the client, or:
Use Javascript. Have the server provide a random value, then in Javascript MD5 or otherwise
hash the password or password MD5 + random value and return the result to the server.
In either case, the secret is never sent over the network.