| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Feb 2015 01:13:40 +0000 From: Paul McMillan <paul@...illan.ws> To: Scott Arciszewski <scott@...iszewski.me> Cc: fulldisclosure@...lists.org Subject: Re: [FD] CVE-2014-6412 - WordPress (all versions) lacks CSPRNG Seen this? https://github.com/altf4/untwister http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/bg04-untwisting-the-mersenne-twister-how-i-killed-the-prng-moloch -Paul On Tue, Feb 10, 2015 at 4:50 PM, Scott Arciszewski <scott@...iszewski.me> wrote: > Ticket opened: 2014-06-25 > Affected Versions: ALL > Problem: No CSPRNG > Patch available, collecting dust because of negligent (and questionably > competent) WP maintainers > > On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a > cryptographically secure pseudorandom number generator, since none was > present (although it looks like others have tried to hack together a > band-aid solution to mitigate php_mt_seed until WordPress gets their "let's > support PHP < 5.3" heads out of their asses). > > For the past 8 months, I have tried repeatedly to raise awareness of this > bug, even going as far as to attend WordCamp Orlando to troll^H advocate > for its examination in person. And they blew me off every time. > > If anyone with RNG breaking experience (cough solar designer cough) can PoC > it, without the patch I've provided you should be able to trivially predict > the password reset token for admin users and take over any WordPress site > completely. > > Eight fucking months. > > Patch available with unit tests and PHP 5.2 on Windows support at > https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch > > Scott > https://scott.arciszewski.me > @voodooKobra > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists