CVE-2014-6412 - WordPress (all versions) lacks CSPRNG

[Scott Arciszewski <scott () arciszewski me>]

Ticket opened: 2014-06-25
Affected Versions: ALL
Problem: No CSPRNG
Patch available, collecting dust because of negligent (and questionably
competent) WP maintainers

On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a
cryptographically secure pseudorandom number generator, since none was
present (although it looks like others have tried to hack together a
band-aid solution to mitigate php_mt_seed until WordPress gets their "let's
support PHP < 5.3" heads out of their asses).

For the past 8 months, I have tried repeatedly to raise awareness of this
bug, even going as far as to attend WordCamp Orlando to troll^H advocate
for its examination in person. And they blew me off every time.

If anyone with RNG breaking experience (cough solar designer cough) can PoC
it, without the patch I've provided you should be able to trivially predict
the password reset token for admin users and take over any WordPress site
completely.

Eight fucking months.

Patch available with unit tests and PHP 5.2 on Windows support at
https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch

Scott
https://scott.arciszewski.me
@voodooKobra

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/