this afect wordpress mu RC1.5?
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2008-04/msg00169.html
http://xiam.menteslibres.org/pages/advisories/wordpress-2-5-salt-cracking-vulnerability
I don't understand this bit:
After the initial WordPress instalation, the wp-config.php's SECRET_KEY must remain as te default value: 'put your unique phrase here' or be undefined, the default value remains untouched after installing via a browser.
It's mentioned on both the pages linked to, But I set the SECRET_KEY in my config file BEFORE I installed WordPress (and WordPress MU) so I'm not 100% sure what they are on about.
But, if the user hasn't set the secret_key then isn't the username and password as secure as WordPress pre v2.5?
Sorry, my security knowledge isn't fantastic so I may be completely wrong.
Actually when you install the latest version, 2 random keys are created and placed within the config file.
You can see that at line 340 of the install-index.php file.
The config file for mu is created during install. For regular wordpress, the user has to edit the file first before installing.
I am first edit wp-config-sample.php and...
http://api.wordpress.org/secret-key/1.0/ <--- put key genertd in secret key:
define('SECRET_KEY', 'secret key of api.wordpress.org'); // Change this to a unique phrase.
(and in) define('SECRET_SALT', 'afa9f0af9af9a0f9a0f9'); // Change this to a unique phrase.
and next Install WORDPRESS MU RC1. or not is correct???
You may want to reread my post up there. The keys are generated for you during the install.
edit: The poster does raise an issue about the confusion with the "Change this to a unique phrase" bits within that file. They probably should be removed.