Date: Wed, 12 Jun 2013 09:34:16 -0400 From: Andrew Nacin <nacin@...dpress.org> To: oss-security@...ts.openwall.com Cc: security <security@...dpress.org>, vnd@...h.net Subject: Re: CVE request: WordPress 3.5.1 denial of service vulnerability On Jun 12, 2013 9:11 AM, "Solar Designer" <solar@...nwall.com> wrote: > Web apps (like WordPress) were indeed not supposed to expose the ability > for untrusted users to specify arbitrary "setting" strings (which > include the configurable cost). I am unfamiliar with WordPress, so I > don't know why they do it here - is this instance of their use of phpass > perhaps meant to achieve similar goals that tripcodes do? If so, yes, > they should be sanitizing the cost setting (perhaps with a site admin > configurable upper bound). We agree. > However, for password hashes coming from > WordPress user/password database (primary intended use of phpass), this > should not be necessary. (Indeed, a similar DoS attack could be > performed by someone having gained write access to the database, but > that would likely be the least of a site admin's worries.) Correct (and yes). Andrew Nacin WordPress
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ