Opened 17 years ago
Closed 17 years ago
#6413 closed enhancement (wontfix)
Add custom prefix to cookie-names
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Security | Keywords: | |
| Focuses: | Cc: |
Description
Only recently a new kind of exploit/attack started on wordpress blogs, during which a directory is created inside "wp-contents" whith several html and javascript files. see
http://cyberinsecure.com/wordpress-doorway-spam-attacks/
http://blogsecurity.net/wordpress/automated-wordpress-hacking-tool-cached-by-google/
http://www.village-idiot.org/archives/2008/03/18/wordpress-spam-inject-honeypot/
http://wordpress.org/support/topic/161723
One of the proposed ways to keep the attack out is to rename the cookies' names, because the attack relies on the default cookie-names.
So I think maybe it would be a good idea to use the prefix-option from the wp-config file and add that to the cookie name, and maybe to the default admin-user's name as well?
Change History (4)
#2
follow-up:
↓ 3
@
17 years ago
- Severity changed from major to normal
Giving away the db prefix in the cookie name sounds like bad security fu to me.
You would be giving a hacker extra information about your blog.
The cookie names are already based on the site url - we could maybe change this from a straight md5 of the site url to something less deterministic.
We do already allow you to define your own cookie names in wp-config.php if you want:
http://trac.wordpress.org/browser/trunk/wp-settings.php#L269
#3
in reply to:
↑ 2
@
17 years ago
Replying to westi:
Giving away the db prefix in the cookie name sounds like bad security fu to me.
You would be giving a hacker extra information about your blog.
hi, thanks for the fast response.
yes, giving away the prefix that's used for the db-tables is indeed a bad idea, and adding another prefix-option in wp-config for the cookies will most likely result in users choosing the same prefix for both.
I'm not sure how the exploit works, but DD32's comments make sense to me.
thanks again
Renaming the cookies is pointless IMO, The exploit will simply change to grab cookies which are using any prefix, not just the wordpress prefixed cookies.
If they can create files, theres many places they could simply plonk a .php file and have WP auto-include it inside the wp-content folder.
I'm not too sure, but i'm pretty sure with the changes made in the authtication, that WP 2.5 may not be as affected by that form of attack.