[wp-hackers] Wordpress Cookie Authentication Vulnerability

Computer Guru computerguru at neosmart.net
Wed Nov 21 05:36:53 GMT 2007


Unfortunately not.

There are libraries available in other languages, but MD5 has been the
"standard" in PHP-based web-apps for too long.

I find myself linking, once again, to Jeff Atwood's excellent article:
http://www.codinghorror.com/blog/archives/000953.html

This section jumps out at me in the current context:
*********
*Do not invent your own "clever" password storage scheme*. I know, you're
smart, and you grok this crypto stuff. But through this door lies madness--
and abominations like LMHash <http://en.wikipedia.org/wiki/LM_hash> that
have ongoing, worldwide security ramifications we're still dealing with
today. Take advantage of whatever password storage tools your framework
provides, as they're likely to be a heck of a lot better tested and more
battle-proven than any crazy scheme you and your team can come up with on
your own. Security vulnerabilities, unlike functionality bugs in your
application, run deep and silent. They can lay dormant for years.
********


At any rate, my REALLY simple answer to the whole "having passwords in the
db means crackers can fake cookies" problem:
Add a second SALT column to your database. Make password hashes
twice-salted; therefore effectively:
1) Rendering all existing hashes useless
2) Logging out all users
3) Preserving backwards compatibility in that you can use the data you
already have to make the new hash.

Only problem is, it probably doesn't work too well for a published package
like WP.... It's fine for company XYZ running their own software, hosted
in-house, w/ real coders available to make the change on demand; it
addresses all the problems; and it's easy to use.... but it definitely won't
work when you're distributing the code for others to deploy..........


-CG

On 11/21/07, Otto <otto at ottodestruct.com> wrote:
>
> Great! Now that you like the idea, let me shoot it down. :)
>
> This approach prevents "staying logged in" on multiple computers. I
> login from work and home. I leave my cookie on both, and have no
> issues. With this approach, I have to login every time, since the BRS
> keeps changing. Can true session ID's solve this?
>
> Longer term answer: Why are we building this logic ourselves anyway?
> This seems like it should be a solved problem. Is there no PHP library
> that will do this for us?
>
> -Otto
>
>
>
> On 11/20/07, Bas Bosman <wordpress at nazgul.nu> wrote:
> > > Is there any reason in particular WP is using MD5 as opposed to a
> > > stronger algorithm?
> >
> > Yes, because WordPress still supports PHP 4.2, which doesn't really have
> > any good support for a stronger algorithm.
> >
> > But as mentioned in the Trac ticket. MD5 isn't the issue here. The issue
> > is that we have a guessable cookie, based on read-only database access
> or
> > non-ssl network sniffing.
> >
> > I think Otto gave a nice overview of a possible solution. Which can
> > optionally be enhanced by linking login cookies to ip-adresses to
> further
> > minimize the chances of cookie stealing. (Mark the optional, because it
> > can have unwanted side-effects in some network setups)
> >
> > Regards,
> > Bas Bosman (Nazgul)
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Computer Guru
Director,
NeoSmart Technologies
http://neosmart.net/blog/


More information about the wp-hackers mailing list