[wp-hackers] Security Vulnerability found

denis at semiologic.com denis at semiologic.com
Wed Apr 13 14:31:50 GMT 2005 

I understand this somewhat differently. As in, a registered level 0 user could
get my admin cookie. So the severity is medium indeed.

Speaking of cookies, I saw WordPress stores an md5 hash of the user's account
md5 hashed password in a cookie. This is hacker bait. I personally did the
following on my previous sites:

on login:
- generate random token
- store token and user id in cookie
- store token, user id and user ip in a session table

session_id | session_token | user_id | user_ip

on page view:
- match broadcasted data to session data
  => up to here, it works much the same as wordpress
- check IP; on inconsistency, log user out and warn admin
  => differs from WordPress, I believe
- else continue, and regen token every so often
  => differs from WordPress, I believe

downside:
- not perfect either (you can still hijack an account, but it is much more
difficult)

upsides:
- hacker cannot decrypt login + password by simply catching a cookie

optionally, allow only one session per user_id. this limits the risk to lose
your blog if you forget to log out from a cybercoffee.

likewise, optionally log off after a timeout period.

-- 
Denis
http://www.semiologic.com


Quoting Brian Dupuis <wordpress at coldforged.org>:

> Eli Sarver wrote:
>
> >Has this been addressed?
> >
> >http://soulblack.com.ar/repo/papers/wordpress_advisory.txt
> >
> >Title: WordPress XSS and HTML injection
> >Vulnerability discovery: SoulBlack - Security Research -
> >http://soulblack.com.ar
> >Date: 12/04/2005
> >Severity: Medium. users can obtain cookies of other users and defacement
> website
> >Affected version: <= 1.5
> >
> So, blog authors can insert HTML into their titles and posts?
> Admittedly, perhaps some stripping of particular elements (e.g.
> "script") could/should be done, the arbitrary conversion of _all_ tags
> is a bit daft. Look out for those "<em>" tags!
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the wp-hackers mailing list