[wp-hackers] Wordpress Cookie Authentication Vulnerability

Benedict Eastaugh ionfish at gmail.com
Tue Nov 20 17:39:48 GMT 2007


Ryan mentioned portability issues on the Trac ticket.

http://trac.wordpress.org/ticket/5367

On 20/11/2007, Seth Chromick <seth at thenextwave.biz> wrote:
> Is there any reason in particular WP is using MD5 as opposed to a
> stronger algorithm?
>
> Otto wrote:
> > Seems to me that this is the correct way to log somebody in using a
> > cookie: Create a separate cookie field in the user DB, which contains
> > the MD5 hash of the actual (random) cookie sent to the user.
> >
> > Code would look like this:
> > 1. Generate biggish random string (BRS for short).
> > 2. Set that BRS as the cookie to send to user.
> > 3. Store MD5(BRS) in database as user_cookie.
> >
> > The existing code for the MD5 of the blog URL and username is fine, no
> > risk there.
> >
> > When user sends back the cookie, you do MD5 of it and compare it with
> > what's in the DB (user_cookie). If they match, you're good.
> >
> > This eliminates all connection to the actual "password", and a DB
> > read-only compromise (haha) cannot generate the cookie given info in
> > the DB. Okay, they can brute force the password if they like, but they
> > can always do that.
> >
> > -Otto
> >
> >
> >
> > On 11/20/07, Stephane Daury <wordpress at tekartist.org> wrote:
> >
> >> http://xkcd.com/327/
> >> http://www.pcweenies.org/archives.php?toon=1103
> >>
> >> But yeah, I never was too happy to see my password, even double
> >> hashed, in a cookie.
> >>
> >> Stephane
> >>
> >>
> >>
> >> On Nov 20, 2007, at 11:46, Bob wrote:
> >>
> >>
> >>> I'm not a security weenie, but it seems to me you wouldn't even need
> >>> an exploit.  Unless you're running SSL, the hashed password is sent
> >>> in the clear, so a hacker can get the hashed password and then
> >>> exploit this cookie vulnerability.
> >>>
> >>>
> >>>
> >>> ----- Original Message ----- From: "Ryan Boren" <ryan at boren.nu>
> >>> To: <wp-hackers at lists.automattic.com>
> >>> Sent: Tuesday, November 20, 2007 2:41 AM
> >>> Subject: Re: [wp-hackers] Wordpress Cookie Authentication
> >>> Vulnerability
> >>>
> >>>
> >>>
> >>>> On 11/19/07, Computer Guru <computerguru at neosmart.net> wrote:
> >>>>
> >>>>> You've got to be kidding me!
> >>>>>
> >>>>> I read the first five words then burst out laughing:
> >>>>> "With read-only access to the Wordpress database"...
> >>>>>
> >>>>> Once you've got read-only access to a database, how much more
> >>>>> vulnerable do
> >>>>> you want?
> >>>>>
> >>>> Yeah, it's not a vulnerability in and of itself.   But, in the event
> >>>> your site is compromised (cough -- WP exploits --  cough),  these
> >>>> measures would prevent someone slurping your password hashes and
> >>>> doing
> >>>> naughty things with them after you've patched whatever hole was
> >>>> exploited.  If we can add these extra measures cheaply, they can be
> >>>> handy when cleaning up after an exploit.
> >>>>
> >>>> Ryan
> >>>> _______________________________________________
> >>>> wp-hackers mailing list
> >>>> wp-hackers at lists.automattic.com
> >>>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>>
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.com
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> >
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>


More information about the wp-hackers mailing list