Make WordPress Core

Opened 17 years ago

Closed 17 years ago

Last modified 17 years ago

#5383 closed defect (bug) (duplicate)

security notification

Reported by: chuckpeters's profile chuckpeters Owned by:
Milestone: Priority: high
Severity: critical Version:
Component: General Keywords:
Focuses: Cc:

Description

http://lwn.net/Articles/259204/ shows wordpress has a security issue and I can't seem to find anything useful about when this might be fixed or if it is being worked on.

You need to do a better job of notifying us of security issues. Things like a section on the website... http://wordpress.org/security is 404 now.

Send out notification on the announcement list of open issues like the one mentioned above and suggest "Workarounds" if the issue isn't fixed.

Change History (7)

#1 @rob1n
17 years ago

Of course it's possible to get the hash and run it against a rainbow pattern (or create a session cookie) -- if you have read-only access.

I suppose a solution would be to stop storing the hash in the cookie, and authenticate a bit differently.

#3 @santosj
17 years ago

Solutions already exist or can exist with a plugin. However, such a plugin has not yet been referenced on WP-Hackers. Travis has stated that he developed a system for his web site that uses sessions to correct this problem.

However, since the solution calls for either using PHP Sessions, PHPass, and/or salting passwords, I don't think it is trival and could cause problems. I can't think of an solution that doesn't involve resetting everyone's password once the change is implemented.

#4 @JeremyVisser
17 years ago

Regarding the 3 comments above, this ticket was about improving the way WP informs the community about security issues, not about the latest security issue in particular.

#5 @darkdragon
17 years ago

Understood, which was why the ticket wasn't closed in the first place. However, the ticket makes references to other bugs that needed to be made available.

#6 @matt
17 years ago

  • Resolution set to duplicate
  • Status changed from new to closed

When appropriate and there is a clear and present danger to our users, we publicize things quite a bit. Thanks for your feedback on this particular issue. Marking as "duplicate" just so it doesn't clog up our issue tracker.

#7 @Nazgul
17 years ago

  • Milestone 2.5 deleted
Note: See TracTickets for help on using tickets.