[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7652701c0711201051o38aa9707p61f6ce03eeabe7f3@mail.gmail.com>
Date: Wed, 21 Nov 2007 05:51:26 +1100
From: "XSS Worm XSS Security Information Portal"
<cross-site-scripting-security@...worm.com>
To: full-disclosure@...ts.grok.org.uk
Cc: "Steven J. Murdoch" <fulldisc+Steven.Murdoch@...cam.ac.uk>
Subject: Wordpress 0day: Hacking into computers now easier
than previously believed - Heise Security
*Wordpress 0day: Hacking into computers now easier than previously believed,
says Heise Security<http://xssworm.blogvis.com/21/xssworm/wordpress-0day-hacking-into-computers-now-easier-than-previously-believed-says-heise-security/>
********"A design flaw in the WordPress <http://wordpress.org/> blog
software authentication process makes it easier than previously believed for
attackers to compromise a system. Most content management systems and blogs
save user passwords as hashes in the underlying database. So even if
attackers were to get access to the hashes stored in the database, for
instance by means of an SQL injection hole, they have not been able to do
much with them up to now."*
*"Specifically, if they want to recover the passwords, they would have to
compare a hash with entries in a "rainbow table" – a process that can take
some time and may not work at all for long passwords, for which there simply
are no tables."*
**
*[image: Ed Henning]*
*"A design flaw in the WordPress blog software authentication process makes
it easier than previously believed for attackers to compromise a system."*
*"But according to a security advisory published by Stephen J. Murdoch of
the University of Cambridge, a property in WordPress can be exploited to get
access without the password. Instead of trying to obtain the password,
Murdoch used its hash to generate an authentication cookie to gain access to
the system. A member of the core team behind The Onion Router (TOR)
anonymization project, Murdoch says that the MD5 hash only has to be hashed
a second time with MD5. According to his report, the authentication
procedure implemented in WordPress then looks like:*
* wordpresspass_<MD5(url)>=MD5(user_pass) *
*Here, the URL is clearly spelled out, and user_pass corresponds to the hash
(MD5(password)). Along with the wordpressuser cookie (that
wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the
WordPress admin account. Murdoch says he has informed the developers of
WordPress of the problem, but they have yet to react."*
Please Mr Murdoch No more talking to the media about security. or maybe we
create new media now (-;
vaj
--
Francesco Vaj [CISSP - GIAC]
CSS Security Researcher
mailto:vaj@...pam.xssworm.com
aim: XSS Cross Site
------
XSS Cross Site Scripting Attacks
Media Manipulation and Web 2.0 Insecurity Blog (tm) 2007
http://www.XSSworm.com/
------
"Vaj, bella vaj."
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists