[wp-forums] tommix b-flagged
Otto
otto at ottodestruct.com
Mon May 7 08:13:49 UTC 2012
On Sun, May 6, 2012 at 11:10 PM, Mark E <mark at edwards.org> wrote:
> Actually after reading both reports they are indeed vulnerabilities. In the
> first one, a person might think "well if you can sniff a nonce value you can
> sniff a username and password and simply login" - but, nonces travel a
> network far more often than login credentials, so the risk is more
> prevalent. Not incredibly dangerous, but definitely an issue as best I can
> tell.
Nonces change every twelve hours, and are different for each
operation. So if you can sniff the nonce and then trick an
authenticated user into visiting your site, then yes, you can make
things happen. Good luck with that.
Note that if you can sniff the connection, then you can get the cookie
and authenticate as the user yourself and do whatever you want. No
trickery needed.
> In the second one, it's also a vulnerability. Not incredibly problematic,
> probably no more problematic than having a known login screen at
> wp-login.php that can be brute-force attacked.
That link talks about how you can install WordPress using your own
mySQL server setup elsewhere if WordPress has been downloaded to a
site but not yet installed. We do not consider this to be a security
vulnerability, as the window of opportunity to exploit it is very
tiny. Seriously, who puts WP on a server and then doesn't actually go
and do the install process?
-Otto
More information about the wp-forums
mailing list