#5383 closed defect (bug) (duplicate)
security notification
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | critical | Version: | |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
http://lwn.net/Articles/259204/ shows wordpress has a security issue and I can't seem to find anything useful about when this might be fixed or if it is being worked on.
You need to do a better job of notifying us of security issues. Things like a section on the website... http://wordpress.org/security is 404 now.
Send out notification on the announcement list of open issues like the one mentioned above and suggest "Workarounds" if the issue isn't fixed.
Change History (7)
#3
@
17 years ago
Solutions already exist or can exist with a plugin. However, such a plugin has not yet been referenced on WP-Hackers. Travis has stated that he developed a system for his web site that uses sessions to correct this problem.
However, since the solution calls for either using PHP Sessions, PHPass, and/or salting passwords, I don't think it is trival and could cause problems. I can't think of an solution that doesn't involve resetting everyone's password once the change is implemented.
#4
@
17 years ago
Regarding the 3 comments above, this ticket was about improving the way WP informs the community about security issues, not about the latest security issue in particular.
#5
@
17 years ago
Understood, which was why the ticket wasn't closed in the first place. However, the ticket makes references to other bugs that needed to be made available.
#6
@
17 years ago
- Resolution set to duplicate
- Status changed from new to closed
When appropriate and there is a clear and present danger to our users, we publicize things quite a bit. Thanks for your feedback on this particular issue. Marking as "duplicate" just so it doesn't clog up our issue tracker.
Of course it's possible to get the hash and run it against a rainbow pattern (or create a session cookie) -- if you have read-only access.
I suppose a solution would be to stop storing the hash in the cookie, and authenticate a bit differently.