Ticket #528 (closed defect: wontfix)

Opened 7 months ago

Last modified 7 months ago

Let there be salt

Reported by: drmike Assigned to: jaredbangs
Priority: normal Milestone: WPMU 1.0
Component: component1 Version: 1.0
Severity: major Keywords: has-patch
Cc:

Description

+1 for putting this in asap since everybody and their mother in law is blogging about how easy it is to lift a password hash in wordpress:

http://trac.wordpress.org/changeset/6387

Attachments

WPMU_Trunk_Patch.diff (23.8 kB) - added by jaredbangs on 12/23/07 19:22:14.
Patch for current WPMU Trunk
WPMU_1.3_Tag_Patch.diff (23.7 kB) - added by jaredbangs on 12/23/07 19:23:05.
Patch for WPMU Tag 1.3

Change History

12/23/07 09:12:58 changed by jaredbangs

  • keywords set to has-patch.
  • owner changed from somebody to jaredbangs.
  • status changed from new to assigned.
  • severity changed from normal to major.

OK, here's a patch incorporating those changes. This is a copy of the changes Ryan committed, as described in ticket 5367.

It inlcudes the changeset drmike mentioned above (6387) as well as three related followup changes (6389, 6400, and 6471). See the discussion thread in WP trac ticket 5367 for details.

Note that this fixes the cookie authentication vulnerability as well as the salting issue.

Attaching patch for WPMU trunk...

12/23/07 09:14:03 changed by jaredbangs

I'll also attach a patch for WPMU tag 1.3, as a couple of the files have changed since the tagging, and I imagine most people would be running off that version rather than the trunk.

12/23/07 19:22:14 changed by jaredbangs

  • attachment WPMU_Trunk_Patch.diff added.

Patch for current WPMU Trunk

12/23/07 19:23:05 changed by jaredbangs

  • attachment WPMU_1.3_Tag_Patch.diff added.

Patch for WPMU Tag 1.3

12/23/07 19:24:28 changed by jaredbangs

Updated patches to include other salting changes from WP changeset 6350

01/11/08 16:48:30 changed by donncha

  • status changed from assigned to closed.
  • resolution set to wontfix.

Not just yet. This will make it in when we sync with WP 2.5. It's such an invasive change to the users table it's better to wait until it's 100% reliable.