Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Jun 2013 09:34:16 -0400
From: Andrew Nacin <nacin@...dpress.org>
To: oss-security@...ts.openwall.com
Cc: security <security@...dpress.org>, vnd@...h.net
Subject: Re: CVE request: WordPress 3.5.1 denial of service vulnerability

On Jun 12, 2013 9:11 AM, "Solar Designer" <solar@...nwall.com> wrote:
> Web apps (like WordPress) were indeed not supposed to expose the ability
> for untrusted users to specify arbitrary "setting" strings (which
> include the configurable cost).  I am unfamiliar with WordPress, so I
> don't know why they do it here - is this instance of their use of phpass
> perhaps meant to achieve similar goals that tripcodes do?  If so, yes,
> they should be sanitizing the cost setting (perhaps with a site admin
> configurable upper bound).

We agree.

> However, for password hashes coming from
> WordPress user/password database (primary intended use of phpass), this
> should not be necessary.  (Indeed, a similar DoS attack could be
> performed by someone having gained write access to the database, but
> that would likely be the least of a site admin's worries.)

Correct (and yes).

Andrew Nacin
WordPress

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ