[wp-hackers] Wordpress Cookie Authentication Vulnerability

Stephane Daury wordpress at tekartist.org
Thu Nov 22 04:06:09 GMT 2007 

Hey Callum,


On Nov 21, 2007, at 22:34, Callum Macdonald wrote:

> Otto wrote:
>> It seems like we have two different discussions going on here.
>>
>> 1. Password: If we were to use salt, we could prevent dictionary
>> attacks. Great. Fine. Whatever. We get it, but that's not the
>> vulnerability we're talking about here. Salt wouldn't fix this
>> problem.
>>
> So let's do that... :)

+1: feels lie WP powers half the web these days. I think it's a matter  
of due diligence.


>
>> 2. Cookies: Why are we using double-MD5 as the cookie? Why are we not
>> using PHP Sessions instead? This would prevent this problem. Anybody
>> know?
>>
> Sessions don't allow persistent logins.

I'd venture to say it's because PHP sessions are sometimes disabled by  
the site admin, or historically because PHP did not support them on  
all installs many, many years ago.

On sessions vs. persistent login: PHP sessions don't, ours could.  
Session keys are combined with an expiry date (at least in the  
solution I offered earlier in the thread), the same a cookie is, so  
the same logic applies.


> I don't think the current solution is a particularly major  
> vulnerability, although I think it would make sense to store a login  
> token and update that every time the user logs in. That token is  
> then written to the cookie (as in MediaWiki for example).

That login token is the same as a session key. The constant update is  
a coder's choice, and more secure by increasing randomization. But can  
still be combined with the expiry policy (update token/cookie at page  
load, but only if not expired).


> This raises the question, if somebody writes the code, how does it  
> end up in core?

Yeah, let me know because I already have it all in a bunch of project  
if needs be (though there's nothing complex beyond the expiry gotchas).

BTW: the human generated salt thing is something I got advised on by  
an Est European PHD totting security expert on a project to help me  
secure it years ago. His argument was quite convincing: "Hey, I wrote  
a perl script that hijacks your sessions in less than twelve minutes.  
Want some help?". Good think he was a white hat. ;-)


Stephane

More information about the wp-hackers mailing list