[wp-hackers] Security Vulnerability found
denis at semiologic.com
denis at semiologic.com
Wed Apr 13 14:31:50 GMT 2005
I understand this somewhat differently. As in, a registered level 0 user could
get my admin cookie. So the severity is medium indeed.
Speaking of cookies, I saw WordPress stores an md5 hash of the user's account
md5 hashed password in a cookie. This is hacker bait. I personally did the
following on my previous sites:
on login:
- generate random token
- store token and user id in cookie
- store token, user id and user ip in a session table
session_id | session_token | user_id | user_ip
on page view:
- match broadcasted data to session data
=> up to here, it works much the same as wordpress
- check IP; on inconsistency, log user out and warn admin
=> differs from WordPress, I believe
- else continue, and regen token every so often
=> differs from WordPress, I believe
downside:
- not perfect either (you can still hijack an account, but it is much more
difficult)
upsides:
- hacker cannot decrypt login + password by simply catching a cookie
optionally, allow only one session per user_id. this limits the risk to lose
your blog if you forget to log out from a cybercoffee.
likewise, optionally log off after a timeout period.
--
Denis
http://www.semiologic.com
Quoting Brian Dupuis <wordpress at coldforged.org>:
> Eli Sarver wrote:
>
> >Has this been addressed?
> >
> >http://soulblack.com.ar/repo/papers/wordpress_advisory.txt
> >
> >Title: WordPress XSS and HTML injection
> >Vulnerability discovery: SoulBlack - Security Research -
> >http://soulblack.com.ar
> >Date: 12/04/2005
> >Severity: Medium. users can obtain cookies of other users and defacement
> website
> >Affected version: <= 1.5
> >
> So, blog authors can insert HTML into their titles and posts?
> Admittedly, perhaps some stripping of particular elements (e.g.
> "script") could/should be done, the arbitrary conversion of _all_ tags
> is a bit daft. Look out for those "<em>" tags!
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the wp-hackers
mailing list