Comments on: Wordpress cookie authentication vulnerability http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/ Security Research, Computer Laboratory, University of Cambridge Fri, 16 May 2008 07:02:28 +0000 http://wordpress.org/?v=2.5.1 By: Steven J. Murdoch http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27217 Steven J. Murdoch Mon, 26 Nov 2007 12:18:52 +0000 http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27217 @Abel Cheung Yes, I've been following along on the mailing list. I'm not a member and other list members have already made the points I would have, so I haven't felt the need to post. For example, I liked <a href="http://comox.textdrive.com/pipermail/wp-hackers/2007-November/016297.html" rel="nofollow">your comment</a> on how to look at the vulnerability. I've been contributing to a thread on the <a href="http://trac.wordpress.org/ticket/5367" rel="nofollow">bug tracker</a>. Hopefully the discussion will remain on how to best fix the problem, rather than debating over whether to call it a vulnerability or <a href="http://comox.textdrive.com/pipermail/wp-hackers/2007-November/016295.html" rel="nofollow">"unwanted behavior"</a>. @Abel Cheung

Yes, I’ve been following along on the mailing list. I’m not a member and other list members have already made the points I would have, so I haven’t felt the need to post. For example, I liked your comment on how to look at the vulnerability.

I’ve been contributing to a thread on the bug tracker. Hopefully the discussion will remain on how to best fix the problem, rather than debating over whether to call it a vulnerability or “unwanted behavior”.

]]> By: Abel Cheung http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27216 Abel Cheung Mon, 26 Nov 2007 12:03:09 +0000 http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27216 You'd like to know the <a href="http://comox.textdrive.com/pipermail/wp-hackers/2007-November/016185.html" rel="nofollow">reaction of people in wp-hackers mailing list</a> as well. In one sentence: 'Bwahahahahahaha. You are senseless. This is not vulnerability.' You’d like to know the reaction of people in wp-hackers mailing list as well.

In one sentence: ‘Bwahahahahahaha. You are senseless. This is not vulnerability.’

]]> By: Daniel Luz http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27200 Daniel Luz Sat, 24 Nov 2007 00:52:57 +0000 http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27200 Oh, my. Before reading your posts, I had never looked at Wordpress' source code, and I'm still shocked how such a popular software has an amazingly bad code quality. Definitely, I'm not ever using it for anything. Oh, my. Before reading your posts, I had never looked at Wordpress’ source code, and I’m still shocked how such a popular software has an amazingly bad code quality. Definitely, I’m not ever using it for anything.

]]> By: ndg http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27155 ndg Wed, 21 Nov 2007 05:17:55 +0000 http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27155 In the past, the attitude of the core WordPress developers towards security has always left something to be desired -- attempts to proactively improve security, including the authentication system, have been shouted down for various reasons (performance, compatibility with ancient versions of PHP, etc.). Last I saw they were still ignoring suggestions to start using parameterized SQL. Vulnerabilities with exploits in the wild usually get fixed fairly quickly, at least, especially highly public ones. So there's hope for this one... :) In the past, the attitude of the core WordPress developers towards security has always left something to be desired — attempts to proactively improve security, including the authentication system, have been shouted down for various reasons (performance, compatibility with ancient versions of PHP, etc.). Last I saw they were still ignoring suggestions to start using parameterized SQL.

Vulnerabilities with exploits in the wild usually get fixed fairly quickly, at least, especially highly public ones. So there’s hope for this one… :)

]]> By: Paul Crowley http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27152 Paul Crowley Wed, 21 Nov 2007 01:02:32 +0000 http://www.lightbluetouchpaper.org/2007/11/20/wordpress-cookie-authentication-vulnerability/#comment-27152 Someone should write up a proper description of how to do this kind of website password security in one place. How to store a password. How to generate an authentication cookie when someone logs in. Whether to stretch passwords. How to use an email address to handle the situation where a user forgets their password (so many sites get this wrong in so many ways). And so on. Bad practice in this area is I'm sure far more common than good. Many web applications still email you your password as soon as you set it! Someone should write up a proper description of how to do this kind of website password security in one place. How to store a password. How to generate an authentication cookie when someone logs in. Whether to stretch passwords. How to use an email address to handle the situation where a user forgets their password (so many sites get this wrong in so many ways). And so on.

Bad practice in this area is I’m sure far more common than good. Many web applications still email you your password as soon as you set it!

]]>