WordPress 2.5 salt cracking vulnerability
I discovered a medium severity vulnerability in the way WordPress 2.5 handles user authentications, this is not a universally exploitable bug, so I think it would be no problem to apply full-disclosure this time. An advisory is available and a copy was sent to securityfocus' bugtraq. A temporary solution is provided within the advisory.
-
{ buzzword, development, english, hacking, web }
-
Tuesday April 15, 2008 @ 11:52
-
Write a comment
Comments
Reply #1
Although I'm not a fellow user of Wordpress, I think you did great work discovering this bug, keep doing it. However, just a little recommendation, your proof of concept isn't a linear algorithm but a brute force algorithm. Probably it would be better if you talk about the complexity of your algorithm using Big O Notation instead of time in seconds/hours/days or whatever, because not all the people have the same computer power, so we have to use some notation independent of how much RAM or Memory your computer has. Also it's important because you can take into account best, worst and average cases.
Regards.
Reply #2
Muy buen laburo ;)
me pase por aqui…
Saludos
Reply #3
Buenas,
Primero, gracias por los creditos, realmente no eran necesarios.
Segundo, te adverti que de esa forma no te hiban a responder (rapido), hubieras usado la expedita en dado caso xD.
Saludos
Reply #4
@jaircazarin, thanks! You're right, I should use another method to specify the algorithm speed, I confess that I don't know how to use big O notation yet but I'm looking the wiki page right now. Thanks for being such a good host last Wednesday too :-).
Reply #5
I just wonder how can you knowing all of this are making yourself to not abuse it :)