lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 22 Nov 2007 16:56:00 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
To: Steven Adair <steven@...urityzone.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Wordpress Cookie Authentication Vulnerability

This issue is SA27714 (severity 1/5)
http://secunia.com/advisories/27714/

and FrSIRT/ADV-2007-3941 (severity 1/4)
http://www.frsirt.com/english/advisories/2007/3941

too.

Secunia advisory lists these workarounds:
"Grant only trusted users read access to the "users" table.
Restrict access to the "wp-admin" directory (e.g. with ".htaccess")."

- Juha-Matti

>Right this problem has existed for a long time, but it's not the end of
>the world for someone to point it out again I suppose.
>
>I think it's obvious that there's another main issue here and that's the
>way WordPress handles its cookies in general.  They are not temporary
>sessions that expire or are only valid upon successful authentication.
>The cookies work for ever.. or at least until the password changes.  If
>someone uses an XSS attack to obtain the cookies or sniffs them (most
>blogs are just HTTP) they can essentially permanently authenticate.  The
>same result occurs with being able to read the database.
>
>Furthermore, one could in theory conduct a bruteforce attack against the
>WordPress password by just making normal requests to the blog but changing
>the cookies that does the double MD5 of the password.  You could in theory
>emulate normal continued browsing of the website while sending
>MD5(MD5(password)) over and over with each request via the cookie.  Other
>than perhaps a large increase in browsing of the blog, this could possibly
>go unnoticed as an attack -- as it would not be logged anywhere (in most
>instances) that the cookies were being presented.  Once authenticated into
>WordPress, the normal blog pages look different, so it would not require
>an attacker to access the Admin area to verify.
>
>Anyway, good to see the CVE is already there.  Maybe better session
>management will find its way into WordPress.
>
>
>Steven
>http://www.securityzone.org
(>..runs on WordPress.. oh noes!)
>
>> This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367:
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013
>>
>> - Juha-Matti
--clip--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ