WordPress 3.4.2: Sessions Not Terminated Upon Explicit User Logout [CVE-2012-5868]

[Christopher Emerson <christopher.emerson () whiteoaksecurity com>]

*Summary
=======
WordPress 3.4.2 fails to invalidate a user’s sessions upon logout.

WordPress was originally notified of this issue in November 15, 2012.

CVE number: CVE-2012-5868
Impact: Medium
Vendor homepage: http://wordpress.com/
Vendor notified: 11/2012
Vendor fixed: N/A
Credit: Christopher Emerson of White Oak Security
(http://www.whiteoaksecurity.com/)

Affected Products
======== ========
Confirmed in self-hosted version WordPress 3.4.2.  Other versions may also
be affected.

Details
=======
When a user explicitly logs out of the WordPress 3.4.2 Administrator
interface via the logout link
(https://domainname.com/wp-login.php?action=logout),
Wordpress clears the cookies in the user’s browser, but fails to invalidate
the session cookie within the application.

A malicious user can take a a previously authenticated user’s session
cookie (wordpress_sec), add that cookie to a request for the administrator
interface (example https://domainname.com/wp-admin/profile.php), and they
will have access to the interface with the same roles and privileges as the
original valid user.

Impact
======
This vulnerability lengthens the windows for brute force session identifier
guessing attacks and session identifier replay attacks.  Successful
exploitation would allow attackers to masquerade as the victim within the
application.

Solution
========
Since the WordPress does not have server side session management, the
application should keep track of session identifiers where a user has
explicitly logged out, and prevent those sessions from connecting to the
application.


Distribution
============
This vulnerability was published publicly on December 17th, 2012.

*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/