Advertisement
Interested in hardware, diags, validation, Linux, C, ARM, Microcode and low level programming and blazing networks?
| |||||||||||||
|
| |||||||||||||
Wordpress Cookie Authentication VulnerabilityWordpress Cookie Authentication VulnerabilityPosted Nov 20, 2007 0:25 UTC (Tue) by drag (subscriber, #31333)In reply to: Wordpress Cookie Authentication Vulnerability by lutchann Parent article: Wordpress Cookie Authentication Vulnerability
Well if you use a code injection vunerability you can display tables and such without actually having login access to the database. Finding a input feild (say URL or text input box) without correct input validation can provide this level of access. Since Wordpress then, effectively thru cookies, uses MD5 hashes of passwords as passwords then it's stupid simple to gain access to any account. To look at it this way... A similar example would be on old Unix boxes without shadow passwords. Say you get access to a FTP accound all you have to do is then download the /etc/passwd file. This is very easy to do since everything uses that file for doing such mundane things as mapping a username to uid. Any network service, any user program, any user account can allow access to /etc/passwd. You don't need to be root to do that. It appears to me that password table in the sql database is pretty much equivelent to /etc/passwd. Well in those old Unix/Linux systems the passwords would be encrypted in some manner. The attacker would then have to run a brute force program to find passwords that match the hashes. However.. Wordpress is so badly designed that the attacker does not have to even do that. Once they obtain the hash of the password they can actually use the hash _as_the_password_. It's very bad. So this vunerability is a combination of a attacker finding bad input validation and badly designed Single-Sign-On authentication systems based on browser cookies.
(Log in to post comments)
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 3:37 UTC (Tue) by lutchann (subscriber, #8872) [Link] I'm not very familiar with SQL/PHP security issues, but if you discovered an SQL injection vulnerability in Wordpress, couldn't you just use it to add a new user to the authentication table?
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 3:39 UTC (Tue) by lutchann (subscriber, #8872) [Link] And by "new user" I mean "new administrator". In other words, how does having administrator access to the web site give you more power than the SQL injection vulnerability itself?
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 3:53 UTC (Tue) by drag (subscriber, #31333) [Link] I donno. Good point. I just figured being able to display a table requires less rights then being able to modify it and since it's needed by the authentication stuff then it would be accessable to parts of the website accessable by anonymous people.
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 6:09 UTC (Tue) by Ross (subscriber, #4065) [Link] For one thing, this type of problem would allow access to continue long after the broken code is fixed, without the user knowing about it. Also, because of the way the password is stored, it would easy allow offline cracking of passwords, and users tend to reuse the same password on different sites.
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 6:41 UTC (Tue) by lutchann (subscriber, #8872) [Link] That's true of pretty much any authentication system, except those based on asymmetric cryptography. Wordpress is far from unusual in storing password equivalents on disk. So unless Wordpress somehow encouraged making the user table accessible to attackers, I still don't see why this is a big deal.
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 9:15 UTC (Tue) by Ross (subscriber, #4065) [Link] It's true that any encrypted password can be attacked offline if you have the hash, but if the passwords were properly salted, it would be much more expensive to crack them because an attacker couldn't build a pre-encrypted dictionary.
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 16:10 UTC (Tue) by drag (subscriber, #31333) [Link] Ya.. Google around for 'Rainbow tables'. There are ones you can download for free and ones you can pay for. Just going out to pirate bay and doing a quick search I found downloads for MD5, SHA1, and NT Lan manager tables.
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 18:21 UTC (Tue) by Los__D (subscriber, #15263) [Link] The main purpose of salts is to combat things like rainbow tables.
Wordpress Cookie Authentication Vulnerability Posted Nov 20, 2007 19:12 UTC (Tue) by jengelh (subscriber, #33263) [Link] The main purpose of rainbow tables is to combat unsalted web apps ;-)
|
|
||||||||||||