oss-sec mailing list archives
Re: CVE request: WordPress 3.5.1 denial of service vulnerability
From: Andrew Nacin <nacin () wordpress org>
Date: Wed, 12 Jun 2013 09:34:16 -0400
On Jun 12, 2013 9:11 AM, "Solar Designer" <solar () openwall com> wrote:
Web apps (like WordPress) were indeed not supposed to expose the ability for untrusted users to specify arbitrary "setting" strings (which include the configurable cost). I am unfamiliar with WordPress, so I don't know why they do it here - is this instance of their use of phpass perhaps meant to achieve similar goals that tripcodes do? If so, yes, they should be sanitizing the cost setting (perhaps with a site admin configurable upper bound).
We agree.
However, for password hashes coming from WordPress user/password database (primary intended use of phpass), this should not be necessary. (Indeed, a similar DoS attack could be performed by someone having gained write access to the database, but that would likely be the least of a site admin's worries.)
Correct (and yes). Andrew Nacin WordPress
Current thread:
- CVE request: WordPress 3.5.1 denial of service vulnerability Henri Salo (Jun 11)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Solar Designer (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Andrew Nacin (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Alexander Cherepanov (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Solar Designer (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Kurt Seifried (Jun 12)
- Re: CVE request: WordPress 3.5.1 denial of service vulnerability Solar Designer (Jun 12)