[wp-hackers] Wordpress Cookie Authentication Vulnerability
Stephane Daury
wordpress at tekartist.org
Tue Nov 20 17:21:44 GMT 2007
Yup, otherwise known as a session id.
Stephane
On Nov 20, 2007, at 12:05, Otto wrote:
> Seems to me that this is the correct way to log somebody in using a
> cookie: Create a separate cookie field in the user DB, which contains
> the MD5 hash of the actual (random) cookie sent to the user.
>
> Code would look like this:
> 1. Generate biggish random string (BRS for short).
> 2. Set that BRS as the cookie to send to user.
> 3. Store MD5(BRS) in database as user_cookie.
>
> The existing code for the MD5 of the blog URL and username is fine, no
> risk there.
>
> When user sends back the cookie, you do MD5 of it and compare it with
> what's in the DB (user_cookie). If they match, you're good.
>
> This eliminates all connection to the actual "password", and a DB
> read-only compromise (haha) cannot generate the cookie given info in
> the DB. Okay, they can brute force the password if they like, but they
> can always do that.
>
> -Otto
>
>
>
> On 11/20/07, Stephane Daury <wordpress at tekartist.org> wrote:
>>
>> http://xkcd.com/327/
>> http://www.pcweenies.org/archives.php?toon=1103
>>
>> But yeah, I never was too happy to see my password, even double
>> hashed, in a cookie.
>>
>> Stephane
>>
>>
>>
>> On Nov 20, 2007, at 11:46, Bob wrote:
>>
>>> I'm not a security weenie, but it seems to me you wouldn't even need
>>> an exploit. Unless you're running SSL, the hashed password is sent
>>> in the clear, so a hacker can get the hashed password and then
>>> exploit this cookie vulnerability.
>>>
>>>
>>>
>>> ----- Original Message ----- From: "Ryan Boren" <ryan at boren.nu>
>>> To: <wp-hackers at lists.automattic.com>
>>> Sent: Tuesday, November 20, 2007 2:41 AM
>>> Subject: Re: [wp-hackers] Wordpress Cookie Authentication
>>> Vulnerability
>>>
>>>
>>>> On 11/19/07, Computer Guru <computerguru at neosmart.net> wrote:
>>>>> You've got to be kidding me!
>>>>>
>>>>> I read the first five words then burst out laughing:
>>>>> "With read-only access to the Wordpress database"...
>>>>>
>>>>> Once you've got read-only access to a database, how much more
>>>>> vulnerable do
>>>>> you want?
>>>>
>>>> Yeah, it's not a vulnerability in and of itself. But, in the
>>>> event
>>>> your site is compromised (cough -- WP exploits -- cough), these
>>>> measures would prevent someone slurping your password hashes and
>>>> doing
>>>> naughty things with them after you've patched whatever hole was
>>>> exploited. If we can add these extra measures cheaply, they can be
>>>> handy when cleaning up after an exploit.
>>>>
>>>> Ryan
>>>> _______________________________________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.com
>>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>>
>>> _______________________________________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.com
>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
More information about the wp-hackers
mailing list