lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 20 Nov 2007 22:03:32 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
To: "Steven J. Murdoch" <fulldisc+Steven.Murdoch@...cam.ac.uk>, 
	Stefan Esser <stefan.esser@...tioneins.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Wordpress Cookie Authentication Vulnerability

This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013

- Juha-Matti

"Steven J. Murdoch" <fulldisc+Steven.Murdoch@...cam.ac.uk> kirjoitti: 
>
>On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote:
>Could you elaborate why you consider this news? Most public SQL
>injection exploits for Wordpress use this cookie trick.
>
>I couldn't find it on the Wordpress bug tracker and when I mentioned
>it to the Wordpress security address, they did not mention having
>heard of it before. I also couldn't find a detailed explanation of the
>problem online, nor in the usual vulnerability databases. Blog
>administrators, like me, therefore risk sites being compromised
>because they didn't realize the problem.
>
>It seemed intuitive to me that restoring the database to a known good
>state would be adequate to recover from a Wordpress compromise
>(excluding guessable passwords). This is the case with the UNIX
>password database and any similarly implemented system. Because of the
>vulnerability I mentioned, this is not the case for Wordpress.
>
>So I also thought it important to describe the workarounds, and fixes.
>If these were obvious, Wordpress would have already applied them. Some
>commenters did not think that the current password scheme needs to be,
>or can be improved, despite techniques to do so being industry
>standard for decades. Clearly this misconception needs to be
>corrected.
>
>I did mention that this was being exploited, so obviously some people
>already know about the problem, but not the right ones. Before I sent
>the disclosure, there was no effort being put into fixing the problem.
>Now there is. Hopefully blog administrators will also apply the
>work-arounds in the meantime.
>
>Steven.
>
>-- 
>w: http://www.cl.cam.ac.uk/users/sjm217/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ