| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPKwhwscAw9iwZfMXSRaQ7kiEMToFsN2=UOiMwOgDOjwGArDxw@mail.gmail.com> Date: Tue, 10 Feb 2015 11:50:16 -0500 From: Scott Arciszewski <scott@...iszewski.me> To: fulldisclosure@...lists.org Subject: [FD] CVE-2014-6412 - WordPress (all versions) lacks CSPRNG Ticket opened: 2014-06-25 Affected Versions: ALL Problem: No CSPRNG Patch available, collecting dust because of negligent (and questionably competent) WP maintainers On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a cryptographically secure pseudorandom number generator, since none was present (although it looks like others have tried to hack together a band-aid solution to mitigate php_mt_seed until WordPress gets their "let's support PHP < 5.3" heads out of their asses). For the past 8 months, I have tried repeatedly to raise awareness of this bug, even going as far as to attend WordCamp Orlando to troll^H advocate for its examination in person. And they blew me off every time. If anyone with RNG breaking experience (cough solar designer cough) can PoC it, without the patch I've provided you should be able to trivially predict the password reset token for admin users and take over any WordPress site completely. Eight fucking months. Patch available with unit tests and PHP 5.2 on Windows support at https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch Scott https://scott.arciszewski.me @voodooKobra _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists