[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Mon Dec 10 22:12:35 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: westi
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by ryan):
Replying to [comment:40 sjmurdoch]:
> Replying to [comment:39 ryan]:
> > We could incorporate your session key stuff into the currently unused
data field of the cookie. Store a random key in the cookie and store the
hash of that key in the DB. But, that brings us back to allowing only one
session at at time and requiring a DB write for every successful login
attempt.
>
> I think it is possible to do better, but it could involve a bit of
tricky cryptography. With only MD5 it will take more work, but it is
possible to turn any hash function into a block cipher. I'm not sure if
I'll have enough time this week to write it up properly though.
Even with a block cipher we still have to worry about someone getting the
key if it is stored in the DB, yes?
If a block cipher would indeed help prevent cookies being created from DB
information, we could always make it an optional bit of extra security we
add if mcrypt is available. If mcrypt is not available, the cookie
doesn't get that extra bit of security. If we do want to provide a fall
back for when mcrypt is not available, I found this. Don't know if it's
any good.
http://www.jonasjohn.de/snippets/php/md5-based-block-cipher.htm
> > > What are the timeouts on the cookies it looks like 2 days or 14 days
if I do my maths right - would we not do better with a shorter expiry time
and resetting the cookie on every admin page access with a new expiry.
> >
> > Wouldn't that allow replaying an old cookie to get a new cookie with a
fresh expiry?
>
> A variant is to only allow auto-extension of valid cookies, so it means
that really old ones won't work. That still means that if someone steals a
cookie and uses it promptly, it will be possible to keep renewing it. I
still think it is better to have a hard limit on cookie expiration, so
someone with a cookie and no password will eventually get locked out.
I'd rather have a hard limit too. A reasonable timeout coupled with a
grace period to allow POSTs to complete seems user friendly enough.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:41>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list