Make WordPress Core

Opened 17 years ago

Closed 14 years ago

#3316 closed defect (bug) (wontfix)

Protected post password is plain text in cookie

Reported by: dosa's profile dosa Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.1
Component: Security Keywords:
Focuses: Cc:


Once a password is entered for a protected post it is stored as plain text in the cookie for all to see. Surely simply keeping some kind of hash would be better?

Change History (8)

#1 @ryan
17 years ago

  • Milestone changed from 2.0.5 to 2.1

#2 @Viper007Bond
17 years ago

"for all to see"

Well it's not like other sites can access the cookie or anything. ;) But yeah, hashing the cookie value isn't a bad idea.

#3 @matt
17 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

#4 @Nazgul
16 years ago

  • Milestone 2.1 deleted

#5 @nbachiyski
14 years ago

  • Milestone set to 2.8
  • Resolution wontfix deleted
  • Status changed from closed to reopened

The cost of hashing it is so low that it would be stupid not to do it.

The gain isn't much, but hashing it is worth it even for saving one poor man, who put his e-mail password there and had his cookies stolen due to an XSS (a common thing these days).

#6 @raxitsheth
14 years ago

  • Priority changed from normal to high
  • Severity changed from normal to major

Just re-opening the ticket.

Password protected post are normally post which are "Not for public". Storing the password in plaintext on user browser is clearly a dumb idea !

Even other sites can not access cookie, a simple proxy/man in middle attack/network sniffer can read the password.

-Raxit Sheth

#7 @Viper007Bond
14 years ago

  • Priority changed from high to normal
  • Severity changed from major to normal

When this ticket was originally opened, it would have been a nightmare to patch as the cookie was checked in the theme itself:

	if (!empty($post->post_password)) { // if there's a password
		if ($_COOKIE['wp-postpass_' . COOKIEHASH] != $post->post_password) {  // and it doesn't match the cookie

			<p class="nocomments">This post is password protected. Enter the password to view comments.</p>


Now however we have the post_password_required() function which handles the cookie checking and could be updated to check against a hashed cookie.

The problem is that relatively few themes have probably updated to make use of that function. They are all likely still using the old direct check code. That means that all pre-WP 2.7 themes would have to be updated or would otherwise break. This is kinda unacceptable for such a relatively minor security improvement.

Recommend reclosing as wontfix.

#8 @Viper007Bond
14 years ago

  • Milestone 2.8 deleted
  • Resolution set to wontfix
  • Status changed from reopened to closed

Since Matt was the one who originally closed it and no one has come forward with a reasonable and backwards compatible solution, I'm gonna reclose as wontfix.

Note: See TracTickets for help on using tickets.