| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3509794.28721195743360889.JavaMail.juha-matti.laurio@netti.fi> Date: Thu, 22 Nov 2007 16:56:00 +0200 (EET) From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi> To: Steven Adair <steven@...urityzone.org> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Wordpress Cookie Authentication Vulnerability This issue is SA27714 (severity 1/5) http://secunia.com/advisories/27714/ and FrSIRT/ADV-2007-3941 (severity 1/4) http://www.frsirt.com/english/advisories/2007/3941 too. Secunia advisory lists these workarounds: "Grant only trusted users read access to the "users" table. Restrict access to the "wp-admin" directory (e.g. with ".htaccess")." - Juha-Matti >Right this problem has existed for a long time, but it's not the end of >the world for someone to point it out again I suppose. > >I think it's obvious that there's another main issue here and that's the >way WordPress handles its cookies in general. They are not temporary >sessions that expire or are only valid upon successful authentication. >The cookies work for ever.. or at least until the password changes. If >someone uses an XSS attack to obtain the cookies or sniffs them (most >blogs are just HTTP) they can essentially permanently authenticate. The >same result occurs with being able to read the database. > >Furthermore, one could in theory conduct a bruteforce attack against the >WordPress password by just making normal requests to the blog but changing >the cookies that does the double MD5 of the password. You could in theory >emulate normal continued browsing of the website while sending >MD5(MD5(password)) over and over with each request via the cookie. Other >than perhaps a large increase in browsing of the blog, this could possibly >go unnoticed as an attack -- as it would not be logged anywhere (in most >instances) that the cookies were being presented. Once authenticated into >WordPress, the normal blog pages look different, so it would not require >an attacker to access the Admin area to verify. > >Anyway, good to see the CVE is already there. Maybe better session >management will find its way into WordPress. > > >Steven >http://www.securityzone.org (>..runs on WordPress.. oh noes!) > >> This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367: >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013 >> >> - Juha-Matti --clip-- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists