lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20071120184634.GB23810@tern.cl.cam.ac.uk>
Date: Tue, 20 Nov 2007 18:46:35 +0000
From: "Steven J. Murdoch" <fulldisc+Steven.Murdoch@...cam.ac.uk>
To: Stefan Esser <stefan.esser@...tioneins.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Wordpress Cookie Authentication Vulnerability

On Tue, Nov 20, 2007 at 07:08:36PM +0100, Stefan Esser wrote:
> Could you elaborate why you consider this news? Most public SQL
> injection exploits for Wordpress use this cookie trick.

I couldn't find it on the Wordpress bug tracker and when I mentioned
it to the Wordpress security address, they did not mention having
heard of it before. I also couldn't find a detailed explanation of the
problem online, nor in the usual vulnerability databases. Blog
administrators, like me, therefore risk sites being compromised
because they didn't realize the problem.

It seemed intuitive to me that restoring the database to a known good
state would be adequate to recover from a Wordpress compromise
(excluding guessable passwords). This is the case with the UNIX
password database and any similarly implemented system. Because of the
vulnerability I mentioned, this is not the case for Wordpress.

So I also thought it important to describe the workarounds, and fixes.
If these were obvious, Wordpress would have already applied them. Some
commenters did not think that the current password scheme needs to be,
or can be improved, despite techniques to do so being industry
standard for decades. Clearly this misconception needs to be
corrected.

I did mention that this was being exploited, so obviously some people
already know about the problem, but not the right ones. Before I sent
the disclosure, there was no effort being put into fixing the problem.
Now there is. Hopefully blog administrators will also apply the
work-arounds in the meantime.

Steven.

-- 
w: http://www.cl.cam.ac.uk/users/sjm217/

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ