Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent "hijacking" install sessions by tying it to specific browser or session #108

markkap opened this Issue Oct 2, 2018 · 1 comment


None yet
1 participant
Copy link

markkap commented Oct 2, 2018

Right now there is no validation that the site details, are not filled by the person that actually started the install.

While there is no obvious exploit vector here, people that notice that have a WTF moment which do not add to the credibility of the software of being security focused.

@markkap markkap added this to the 1.0.0 milestone Mar 6, 2019

markkap added a commit that referenced this issue Mar 7, 2019

When generating the config.php set a cookie to the value of auth_key.…
… This value is used to verify that the install session is not hijacked. #108

This comment has been minimized.

Copy link

markkap commented Mar 7, 2019

This is implemented by adding a cookie during the wp-config.php phase with the value of the generated AUTH_KEY. The value of the cookie is tested to be the same as AUTH_KEY when finishing the install phase.

@markkap markkap closed this Mar 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.