WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 5 years ago

#3316 closed defect (bug) (wontfix)

Protected post password is plain text in cookie

Reported by: dosa Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.1
Component: Security Keywords:
Focuses: Cc:

Description

Once a password is entered for a protected post it is stored as plain text in the cookie for all to see. Surely simply keeping some kind of hash would be better?

Change History (8)

comment:1 ryan7 years ago

  • Milestone changed from 2.0.5 to 2.1

comment:2 Viper007Bond7 years ago

"for all to see"

Well it's not like other sites can access the cookie or anything. ;) But yeah, hashing the cookie value isn't a bad idea.

comment:3 matt7 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

comment:4 Nazgul7 years ago

  • Milestone 2.1 deleted

comment:5 nbachiyski5 years ago

  • Milestone set to 2.8
  • Resolution wontfix deleted
  • Status changed from closed to reopened

The cost of hashing it is so low that it would be stupid not to do it.

The gain isn't much, but hashing it is worth it even for saving one poor man, who put his e-mail password there and had his cookies stolen due to an XSS (a common thing these days).

comment:6 raxitsheth5 years ago

  • Priority changed from normal to high
  • Severity changed from normal to major

Just re-opening the ticket.

Password protected post are normally post which are "Not for public". Storing the password in plaintext on user browser is clearly a dumb idea !

Even other sites can not access cookie, a simple proxy/man in middle attack/network sniffer can read the password.

-Raxit Sheth

comment:7 Viper007Bond5 years ago

  • Priority changed from high to normal
  • Severity changed from major to normal

When this ticket was originally opened, it would have been a nightmare to patch as the cookie was checked in the theme itself:

	if (!empty($post->post_password)) { // if there's a password
		if ($_COOKIE['wp-postpass_' . COOKIEHASH] != $post->post_password) {  // and it doesn't match the cookie
			?>

			<p class="nocomments">This post is password protected. Enter the password to view comments.</p>

			<?php
			return;
		}
	}

Now however we have the post_password_required() function which handles the cookie checking and could be updated to check against a hashed cookie.

The problem is that relatively few themes have probably updated to make use of that function. They are all likely still using the old direct check code. That means that all pre-WP 2.7 themes would have to be updated or would otherwise break. This is kinda unacceptable for such a relatively minor security improvement.

Recommend reclosing as wontfix.

comment:8 Viper007Bond5 years ago

  • Milestone 2.8 deleted
  • Resolution set to wontfix
  • Status changed from reopened to closed

Since Matt was the one who originally closed it and no one has come forward with a reasonable and backwards compatible solution, I'm gonna reclose as wontfix.

Note: See TracTickets for help on using tickets.