Full Disclosure mailing list archives
Wordpress 0day: Hacking into computers now easier than previously believed - Heise Security
From: "XSS Worm XSS Security Information Portal" <cross-site-scripting-security () xssworm com>
Date: Wed, 21 Nov 2007 05:51:26 +1100
*Wordpress 0day: Hacking into computers now easier than previously believed, says Heise Security<http://xssworm.blogvis.com/21/xssworm/wordpress-0day-hacking-into-computers-now-easier-than-previously-believed-says-heise-security/> ********"A design flaw in the WordPress <http://wordpress.org/> blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now."* *"Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a "rainbow table" – a process that can take some time and may not work at all for long passwords, for which there simply are no tables."* ** *[image: Ed Henning]* *"A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system."* *"But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:* * wordpresspass_<MD5(url)>=MD5(user_pass) * *Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react."* Please Mr Murdoch No more talking to the media about security. or maybe we create new media now (-; vaj -- Francesco Vaj [CISSP - GIAC] CSS Security Researcher mailto:vaj () nospam xssworm com aim: XSS Cross Site ------ XSS Cross Site Scripting Attacks Media Manipulation and Web 2.0 Insecurity Blog (tm) 2007 http://www.XSSworm.com/ ------ "Vaj, bella vaj."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wordpress 0day: Hacking into computers now easier than previously believed - Heise Security XSS Worm XSS Security Information Portal (Nov 20)