[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability

To: Steven Adair <steven@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
From: Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>
Date: Thu, 22 Nov 2007 16:56:00 +0200 (EET)

This issue is SA27714 (severity 1/5)
http://secunia.com/advisories/27714/

and FrSIRT/ADV-2007-3941 (severity 1/4)
http://www.frsirt.com/english/advisories/2007/3941

too.

Secunia advisory lists these workarounds:
"Grant only trusted users read access to the "users" table.
Restrict access to the "wp-admin" directory (e.g. with ".htaccess")."

- Juha-Matti

>Right this problem has existed for a long time, but it's not the end of
>the world for someone to point it out again I suppose.
>
>I think it's obvious that there's another main issue here and that's the
>way WordPress handles its cookies in general.  They are not temporary
>sessions that expire or are only valid upon successful authentication.
>The cookies work for ever.. or at least until the password changes.  If
>someone uses an XSS attack to obtain the cookies or sniffs them (most
>blogs are just HTTP) they can essentially permanently authenticate.  The
>same result occurs with being able to read the database.
>
>Furthermore, one could in theory conduct a bruteforce attack against the
>WordPress password by just making normal requests to the blog but changing
>the cookies that does the double MD5 of the password.  You could in theory
>emulate normal continued browsing of the website while sending
>MD5(MD5(password)) over and over with each request via the cookie.  Other
>than perhaps a large increase in browsing of the blog, this could possibly
>go unnoticed as an attack -- as it would not be logged anywhere (in most
>instances) that the cookies were being presented.  Once authenticated into
>WordPress, the normal blog pages look different, so it would not require
>an attacker to access the Admin area to verify.
>
>Anyway, good to see the CVE is already there.  Maybe better session
>management will find its way into WordPress.
>
>
>Steven
>http://www.securityzone.org
(>..runs on WordPress.. oh noes!)
>
>> This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367:
>>
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013
>>
>> - Juha-Matti
--clip--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Aurigma ImageUploader 4.1 Multiple stack overflows
Next by Date: [Full-disclosure] Knowing you're Secure!
Previous by thread: Re: [Full-disclosure] Wordpress Cookie Authentication Vulnerability
Next by thread: [Full-disclosure] [ GLSA 200711-28 ] Perl: Buffer overflow
Index(es):
- Date
- Thread