Full Disclosure mailing list archives

Re: Wordpress Cookie Authentication Vulnerability

From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Thu, 22 Nov 2007 16:56:00 +0200 (EET)

This issue is SA27714 (severity 1/5)
http://secunia.com/advisories/27714/

and FrSIRT/ADV-2007-3941 (severity 1/4)
http://www.frsirt.com/english/advisories/2007/3941

too.

Secunia advisory lists these workarounds:
"Grant only trusted users read access to the "users" table.
Restrict access to the "wp-admin" directory (e.g. with ".htaccess")."

- Juha-Matti

Right this problem has existed for a long time, but it's not the end of
the world for someone to point it out again I suppose.

I think it's obvious that there's another main issue here and that's the
way WordPress handles its cookies in general.  They are not temporary
sessions that expire or are only valid upon successful authentication.
The cookies work for ever.. or at least until the password changes.  If
someone uses an XSS attack to obtain the cookies or sniffs them (most
blogs are just HTTP) they can essentially permanently authenticate.  The
same result occurs with being able to read the database.

Furthermore, one could in theory conduct a bruteforce attack against the
WordPress password by just making normal requests to the blog but changing
the cookies that does the double MD5 of the password.  You could in theory
emulate normal continued browsing of the website while sending
MD5(MD5(password)) over and over with each request via the cookie.  Other
than perhaps a large increase in browsing of the blog, this could possibly
go unnoticed as an attack -- as it would not be logged anywhere (in most
instances) that the cookies were being presented.  Once authenticated into
WordPress, the normal blog pages look different, so it would not require
an attacker to access the Admin area to verify.

Anyway, good to see the CVE is already there.  Maybe better session
management will find its way into WordPress.


Steven
http://www.securityzone.org

(>..runs on WordPress.. oh noes!)

This is CVE-2007-6013 since 19th Nov including WordPress ticket #5367:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6013

- Juha-Matti

--clip--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Wordpress Cookie Authentication Vulnerability, (continued)
- - Re: Wordpress Cookie Authentication Vulnerability Steven Murdoch (Nov 20)
- Re: Wordpress Cookie Authentication Vulnerability Stefan Esser (Nov 20)
  - Re: Wordpress Cookie Authentication Vulnerability Steven J. Murdoch (Nov 20)
- Re: Wordpress Cookie Authentication Vulnerability Juha-Matti Laurio (Nov 20)
  - Re: Wordpress Cookie Authentication Vulnerability Steven Adair (Nov 20)
    - Re: Wordpress Cookie Authentication Vulnerability James Matthews (Nov 20)
    - Re: Wordpress Cookie Authentication Vulnerability Eduardo Tongson (Nov 20)
    - Re: Wordpress Cookie Authentication Vulnerability Valdis . Kletnieks (Nov 20)
    - Re: Wordpress Cookie Authentication Vulnerability Paul Schmehl (Nov 20)
    - Re: Wordpress Cookie Authentication Vulnerability Adrian P (Nov 21)
- Re: Wordpress Cookie Authentication Vulnerability Juha-Matti Laurio (Nov 22)