[wp-hackers] Wordpress Cookie Authentication Vulnerability
Otto
otto at ottodestruct.com
Tue Nov 20 17:05:34 GMT 2007
Seems to me that this is the correct way to log somebody in using a
cookie: Create a separate cookie field in the user DB, which contains
the MD5 hash of the actual (random) cookie sent to the user.
Code would look like this:
1. Generate biggish random string (BRS for short).
2. Set that BRS as the cookie to send to user.
3. Store MD5(BRS) in database as user_cookie.
The existing code for the MD5 of the blog URL and username is fine, no
risk there.
When user sends back the cookie, you do MD5 of it and compare it with
what's in the DB (user_cookie). If they match, you're good.
This eliminates all connection to the actual "password", and a DB
read-only compromise (haha) cannot generate the cookie given info in
the DB. Okay, they can brute force the password if they like, but they
can always do that.
-Otto
On 11/20/07, Stephane Daury <wordpress at tekartist.org> wrote:
>
> http://xkcd.com/327/
> http://www.pcweenies.org/archives.php?toon=1103
>
> But yeah, I never was too happy to see my password, even double
> hashed, in a cookie.
>
> Stephane
>
>
>
> On Nov 20, 2007, at 11:46, Bob wrote:
>
> > I'm not a security weenie, but it seems to me you wouldn't even need
> > an exploit. Unless you're running SSL, the hashed password is sent
> > in the clear, so a hacker can get the hashed password and then
> > exploit this cookie vulnerability.
> >
> >
> >
> > ----- Original Message ----- From: "Ryan Boren" <ryan at boren.nu>
> > To: <wp-hackers at lists.automattic.com>
> > Sent: Tuesday, November 20, 2007 2:41 AM
> > Subject: Re: [wp-hackers] Wordpress Cookie Authentication
> > Vulnerability
> >
> >
> >> On 11/19/07, Computer Guru <computerguru at neosmart.net> wrote:
> >>> You've got to be kidding me!
> >>>
> >>> I read the first five words then burst out laughing:
> >>> "With read-only access to the Wordpress database"...
> >>>
> >>> Once you've got read-only access to a database, how much more
> >>> vulnerable do
> >>> you want?
> >>
> >> Yeah, it's not a vulnerability in and of itself. But, in the event
> >> your site is compromised (cough -- WP exploits -- cough), these
> >> measures would prevent someone slurping your password hashes and
> >> doing
> >> naughty things with them after you've patched whatever hole was
> >> exploited. If we can add these extra measures cheaply, they can be
> >> handy when cleaning up after an exploit.
> >>
> >> Ryan
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list