Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent "hijacking" install sessions by tying it to specific browser or session #108

markkap opened this issue Oct 2, 2018 · 1 comment


Copy link

@markkap markkap commented Oct 2, 2018

Right now there is no validation that the site details, are not filled by the person that actually started the install.

While there is no obvious exploit vector here, people that notice that have a WTF moment which do not add to the credibility of the software of being security focused.

@markkap markkap added this to the 1.0.0 milestone Mar 6, 2019
markkap added a commit that referenced this issue Mar 7, 2019
… This value is used to verify that the install session is not hijacked. #108
Copy link

@markkap markkap commented Mar 7, 2019

This is implemented by adding a cookie during the wp-config.php phase with the value of the generated AUTH_KEY. The value of the cookie is tested to be the same as AUTH_KEY when finishing the install phase.

@markkap markkap closed this Mar 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant