LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Wordpress Cookie Authentication Vulnerability

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 0:25 UTC (Tue) by drag (subscriber, #31333)
In reply to: Wordpress Cookie Authentication Vulnerability by lutchann
Parent article: Wordpress Cookie Authentication Vulnerability 

Well if you use a code injection vunerability you can display tables and such without actually
having login access to the database. Finding a input feild (say URL or text input box) without
correct input validation can provide this level of access.

Since Wordpress then, effectively thru cookies, uses MD5 hashes of passwords as passwords then
it's stupid simple to gain access to any account. 


To look at it this way...

A similar example would be on old Unix boxes without shadow passwords. Say you get access to a
FTP accound all you have to do is then download the /etc/passwd file. This is very easy to do
since everything uses that file for doing such mundane things as mapping a username to uid.
Any network service, any user program, any user account can allow access to /etc/passwd. You
don't need to be root to do that.

It appears to me that password table in the sql database is pretty much equivelent to
/etc/passwd.

Well in those old Unix/Linux systems the passwords would be encrypted in some manner. The
attacker would then have to run a brute force program to find passwords that match the hashes.

However.. Wordpress is so badly designed that the attacker does not have to even do that. Once
they obtain the hash of the password they can actually use the hash _as_the_password_. It's
very bad.

So this vunerability is a combination of a attacker finding bad input validation and badly
designed Single-Sign-On authentication systems based on browser cookies.

(Log in to post comments)

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 3:37 UTC (Tue) by lutchann (subscriber, #8872) [Link] 

I'm not very familiar with SQL/PHP security issues, but if you discovered an SQL injection
vulnerability in Wordpress, couldn't you just use it to add a new user to the authentication
table?

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 3:39 UTC (Tue) by lutchann (subscriber, #8872) [Link] 

And by "new user" I mean "new administrator".  In other words, how does having administrator
access to the web site give you more power than the SQL injection vulnerability itself?

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 3:53 UTC (Tue) by drag (subscriber, #31333) [Link] 

I donno. Good point.

I just figured being able to display a table requires less rights then being able to modify it
and since it's needed by the authentication stuff then it would be accessable to parts of the
website accessable by anonymous people.

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 6:09 UTC (Tue) by Ross (subscriber, #4065) [Link] 

For one thing, this type of problem would allow access to continue long after the broken code
is fixed, without the user knowing about it.  Also, because of the way the password is stored,
it would easy allow offline cracking of passwords, and users tend to reuse the same password
on different sites.

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 6:41 UTC (Tue) by lutchann (subscriber, #8872) [Link] 

That's true of pretty much any authentication system, except those based on asymmetric
cryptography.  Wordpress is far from unusual in storing password equivalents on disk.  So
unless Wordpress somehow encouraged making the user table accessible to attackers, I still
don't see why this is a big deal.

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 9:15 UTC (Tue) by Ross (subscriber, #4065) [Link] 

It's true that any encrypted password can be attacked offline if you have the hash, but if the
passwords were properly salted, it would be much more expensive to crack them because an
attacker couldn't build a pre-encrypted dictionary.

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 16:10 UTC (Tue) by drag (subscriber, #31333) [Link] 

Ya..

Google around for 'Rainbow tables'. There are ones you can download for free and ones you can
pay for. 

Just going out to pirate bay and doing a quick search I found downloads for MD5, SHA1, and NT
Lan manager tables.

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 18:21 UTC (Tue) by Los__D (subscriber, #15263) [Link] 

The main purpose of salts is to combat things like rainbow tables.

Wordpress Cookie Authentication Vulnerability

Posted Nov 20, 2007 19:12 UTC (Tue) by jengelh (subscriber, #33263) [Link] 

The main purpose of rainbow tables is to combat unsalted web apps ;-)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.