[wp-hackers] Wordpress Cookie Authentication Vulnerability

Thu Nov 22 03:10:05 GMT 2007

Definitey true.

The only "dangerous" crackers (let's not use hackers to describe bad-guys
now... I mean, we're wp-*HACKERS* for God's sake! :P) are those that hide
their presence.

If it's just a script-kiddie, odds are they just want to put their picture
on your site with a "omg! you has been pwnd!!!!!! lawlz!" message followed
by "dA red-d347h has struck again!!" or something... that's when you know
you've been hacked, but at the same time, odds are this guy isn't too bright
and won't be analyzing the hashes and running them through various analysis
and reverse hash programs.

But when someone wants your users data... they probably won't want to draw
attention to themselves in the first place...

anyway....

I still think that MD5 is the wrong way to go... PHP 4.30+ has support for
sha1(), and older versions can use mhash() to acheive the same result
(though slower).

However, the real cool stuff is in PHP 5.1.2+ with the hash() function which
offers multiple hashing schemes that are just a function call away.

Just my two Fils,

-CG

On 11/22/07, Callum Macdonald <lists.automattic.com at callum-macdonald.com>
wrote:
>
> Re salting passwords after an attack is only viable if you know you've
> been attacked. I'm guessing it wouldn't be used by 99% of WP users. It
> might make an interesting plugin though...
>
> We're not using salts currently, just straight md5s. I believe md5 is
> easier because of the PHP versions being supported, etc. However, a
> uniquely salted md5 is still pretty secure, and would be a major step
> forward from where we are today.
>
> I'd suggest the biggest risk today is not that people hack WordPress
> (ultimately, it's not that big a deal) but that if somebody gets hold of
> your db, they then guess that most of your users use the same password
> for all sites, and proceed to go wreak havoc on users all over the place.
>
> +1 for salting the hashes using md5...
>
> C.
>
> Computer Guru wrote:
> > Honestly, I'm surprised WP hasn't done that already... But that does not
> > address the main issue here (which should NEVER occur if you take care
> of
> > your stuff... *assuming* wp doesn't have any exploits) and that is how
> to
> > maintain user password integrity after being hacked.
> >
> > (Oh, and if we're going with a SALT, we had damn-well better not use
> MD5...)
> >
> >
> > On 11/22/07, Callum Macdonald <lists.automattic.com at callum-macdonald.com
> >
> > wrote:
> >
> >> I think it would be a significant improvement to store each password
> >> with a randomly generated salt. I think using a random salt based on
> the
> >> current microtime would be sufficient.
> >>
> >> This would negate md5 rainbow attacks in reversing passwords from the
> >> database. Plus, it's relatively easy to compute. It's a simple, elegant
> >> solution.
> >>
> >> Cheers - Callum.
> >>
> >> Computer Guru wrote:
> >>
> >>> On 11/22/07, Viper007Bond <viper at viper007bond.com> wrote:
> >>>
> >>>
> >>>> Manually picking and having to change a salt often is major pain in
> the
> >>>> ass
> >>>> and something the average user won't do.
> >>>>
> >>>> Better to have it be automated if you ask me.
> >>>>
> >>>>
> >>>>
> >>> That's not exactly difficult though, :-D
> >>>
> >>> A big red button "I've been hacked!"
> >>> Clicky-the-button:
> >>> WP adds a new column, randomly generated salt (salt1, salt2, salt3).
> >>> WP re-creates password hashes: password_hash = md5(currenthash .
> >>> md5(latestsalt))
> >>> WP updates login routine from password_hash = md5(password .
> md5(salt1)
> >>>
> >> to
> >>
> >>> password_hash = md5( md5(password . md5(salt1) . md5(salt2) )
> >>>
> >>> It's excellent in principle IMHO... but it can quickly get out of hand
> >>>
> >> :-(
> >>
> >>> Besides the time it takes to perform 4 md5 calculations verses the
> >>>
> >> original
> >>
> >>> (and if you get hacked again, it would be 8!), it's too hackish for my
> >>> liking.
> >>>
> >>> So yeah, it would be great for when Digg gets hacked, krose can just
> add
> >>>
> >> a
> >>
> >>> second salt be done with it. But I don't think (even though this was
> my
> >>>
> >> idea
> >>
> >>> :lol:) that this would work for a distributed package that we expect
> >>>
> >> people
> >>
> >>> to install who probably don't know what MD5 is in the first
> place.......
> >>>
> >>> Obviously the ideal solution would be to use reversible encryption
> >>>
> >> instead
> >>
> >>> of a MD5 hash. When the db gets hacked, reverse the encryption to
> obtain
> >>> plain-text password, reset the SALT column to new random values, and
> >>>
> >> then
> >>
> >>> recreate the hash once more.
> >>>
> >>> Which brings me to yet another question:
> >>> 1) Do you WANT to trust *ALL* the WP users out there to have a
> >>>
> >> REVERSIBLE
> >>
> >>> hash of user's passwords in the DB? Sure, they can easily modify the
> >>>
> >> current
> >>
> >>> code to log passwords before hashing them, but that takes some hacking
> >>> talent - and hackers have their own code of ethics to adhere to ;)
> >>>
> >>> Seriously though, if you present the password as a reversible
> >>>
> >> encryption,
> >>
> >>> you'll be giving script kiddies the time of their life. But it DOES
> >>>
> >> solve
> >>
> >>> the problem.....
> >>> 2) Are there any *uncracked* encryption libraries for PHP out there?
> >>>
> >>>
> >>>
> >>>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >>
> >
> >
> >
> >
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

-- 
Computer Guru
Director,
NeoSmart Technologies
http://neosmart.net/blog/