[wp-hackers] Randy rands

Otto otto at ottodestruct.com
Wed Sep 3 14:13:00 GMT 2008


No, it's an actual security flaw, although not an easily exploitable
one, and it's not really a flaw in WordPress. It's all about weak
seeding in other programs running on the same php instance.

WordPress does not call mt_srand to seed the generator. And this is
fine, PHP seeds it itself internally. But if you're using mod_php <
5.2.6, then it's not reseeded every call, only at startup. If some
other system seeds it poorly, and leaks the mt_rand() value, then you
can predict the next mt_rand() value and exploit it. In particular,
with WordPress, you can exploit the "lost password" function, predict
the generated activation key, and reset the password on any user
account.

Here's an exploit that uses a flawed piece of software (phpBB) to both
seed the generator and grab the state of mt_rand. Once it knows the
next mt_rand, it can hack into WordPress, because WordPress does not
do any seeding on it's own, and is using the same seed as was there
already (assuming mod_php < 5.2.6):
http://raz0r.name/wp-content/uploads/2008/08/wp1.html

-Otto


On Tue, Sep 2, 2008 at 10:22 PM, Viper007Bond <viper at viper007bond.com> wrote:
> It's just improved security, not a security flaw if I'm reading it right. No
> different from ditching MD5 password storage or using the better cookies
> (again, if I understand the issue).
>
> On Tue, Sep 2, 2008 at 11:35 AM, Otto <otto at ottodestruct.com> wrote:
>
>> I noticed http://trac.wordpress.org/changeset/8728 and
>> http://trac.wordpress.org/changeset/8749 the other day. It occurred to
>> me that since this is a fix for a security issue, it might be
>> worthwhile to backport it to 2.0.11 as well, since that's being
>> supported until 2010.
>>
>> Any plans on that?
>>
>> -Otto
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
>
>
>
> --
> Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list