Opened 11 years ago
Closed 11 years ago
#24783 closed task (blessed) (fixed)
user_activation_key is not hashed in the database
Reported by: | harrym | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.7 | Priority: | normal |
Severity: | normal | Version: | 3.6 |
Component: | Users | Keywords: | has-patch |
Focuses: | Cc: |
Description
WordPress 3.5.2 does not hash user_activation_key in the database. user_activation_key is a one-time password generated and used during the password reset process.
In combination with another vulnerability that reveals database fields, this value can be used to set a new password for a user account, bypassing the need to extract and brute-force password hashes.
To address this issue, user_activation_key should be hashed in the database, as passwords are.
[NB: I have not attached a patch because the core team have already agreed that they will target a fix for 3.7]
Attachments (3)
Change History (7)
#1
@
11 years ago
- Summary changed from WordPress does not hash user_activation_key in the database to user_activation_key is not hashed in the database
#2
@
11 years ago
- Keywords has-patch added
- Milestone changed from Awaiting Review to 3.7
24783.diff implements this. Works like a charm.
When someone tries to used an older, unhashed user_activation_key, it changes the error message from "Sorry, that key does not appear to be valid." to "Sorry, that key has expired. Please try again." — and it gives you the form to immediately request a password reset email again.
This way, we don't annoyingly invalidate all existing keys without providing any kind of feedback to a user that loses their password right around the time of an update done by someone else. (Think, especially, a big WP install.)
This will have major implications for BackPress-driven sites like bbPress 1.x (so, a lot of WordPress.org). Please do not commit until we figure out this piece.
PS: this issue was discovered by Glyn Wintle.