[wp-hackers] Wordpress Cookie Authentication Vulnerability

Otto otto at ottodestruct.com
Tue Nov 20 16:56:29 GMT 2007 

Yeah, you know, after looking at this, I'm wondering what the point of
the double-MD5 is myself.

It could be to prevent somebody from getting the hash in the DB if
they intercepted it over the network (since it's in the clear), but if
somebody intercepted it, then they could just use the cookie
themselves and pretend to be the same person. They don't need to crack
it.

There's little or no risk in sending the actual cookie over
considering it logs you in. The only reason for a double-MD5 would be
to prevent somebody going the other way, much like the article says.

While I don't think that this is necessarily "insecure", it does seem
a bit insane.

-Otto, who would comment on trac except that trac is inaccessible from
my workplace (no route to host).



On 11/20/07, Bob <wp-hackers at nj-arp.org> wrote:
> I'm not a security weenie, but it seems to me you wouldn't even need an
> exploit.  Unless you're running SSL, the hashed password is sent in the
> clear, so a hacker can get the hashed password and then exploit this cookie
> vulnerability.
>
>
>
> ----- Original Message -----
> From: "Ryan Boren" <ryan at boren.nu>
> To: <wp-hackers at lists.automattic.com>
> Sent: Tuesday, November 20, 2007 2:41 AM
> Subject: Re: [wp-hackers] Wordpress Cookie Authentication Vulnerability
>
>
> > On 11/19/07, Computer Guru <computerguru at neosmart.net> wrote:
> >> You've got to be kidding me!
> >>
> >> I read the first five words then burst out laughing:
> >> "With read-only access to the Wordpress database"...
> >>
> >> Once you've got read-only access to a database, how much more vulnerable
> >> do
> >> you want?
> >
> > Yeah, it's not a vulnerability in and of itself.   But, in the event
> > your site is compromised (cough -- WP exploits --  cough),  these
> > measures would prevent someone slurping your password hashes and doing
> > naughty things with them after you've patched whatever hole was
> > exploited.  If we can add these extra measures cheaply, they can be
> > handy when cleaning up after an exploit.
> >
> > Ryan
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list