Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Jun 2013 09:34:16 -0400
From: Andrew Nacin <>
Cc: security <>,
Subject: Re: CVE request: WordPress 3.5.1 denial of service vulnerability

On Jun 12, 2013 9:11 AM, "Solar Designer" <> wrote:
> Web apps (like WordPress) were indeed not supposed to expose the ability
> for untrusted users to specify arbitrary "setting" strings (which
> include the configurable cost).  I am unfamiliar with WordPress, so I
> don't know why they do it here - is this instance of their use of phpass
> perhaps meant to achieve similar goals that tripcodes do?  If so, yes,
> they should be sanitizing the cost setting (perhaps with a site admin
> configurable upper bound).

We agree.

> However, for password hashes coming from
> WordPress user/password database (primary intended use of phpass), this
> should not be necessary.  (Indeed, a similar DoS attack could be
> performed by someone having gained write access to the database, but
> that would likely be the least of a site admin's worries.)

Correct (and yes).

Andrew Nacin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.