[wp-hackers] Security: Oracle and WordPress

Mark Jaquith mark.wordpress at txfx.net
Fri Jun 23 02:28:44 GMT 2006

On Jun 22, 2006, at 3:08 PM, Doug Stewart wrote:

> AFAICS, that vulnerability isn't a WordPress one, but rather a flaw in
> Mark's Subscribe to Comments.

The flaw is a shared one.  It isn't a flaw in my plugin alone, nor is  
it a flaw in WordPress alone, it is a combined flaw, that enables  
exploitation of a flaw that exists solely in WordPress versions 2.0,  
2.0.1 and 2.0.2.  That is, there was no security risk using my plugin  
until WordPress 2.0 was released.  Because of that, upgrading to  
Subscribe to Comments 2.0.4 OR upgrading to WordPress 2.0.3 closes  
the joint vulnerability (but you should upgrade WordPress to 2.0.3  
anyway, because there are other security issues in 2.0.2).

Basically, I chose a certain md5 hash with a certain salt.  6-12  
months later, WP 2.0 was released with a hash that was salted the  
same way.  If you registered a WP account with your user name as an e- 
mail address, you could get the Subscribe to Comments hash to match  
your WP user hash, and then know the location of your user cache  
files.  You could then use an input sanitization bug in WP to write  
executable data to your user cache file, and you'd know where it was  
located so you could run it.

Steven J. Murdoch, who wrote that article, contacted me almost a  
month ago and relayed this information to me.  I released Subscribe  
to Comments 2.0.4 [1] on May 28th, to protect people until WP 2.0.3  
came out a few days later.

[1] http://markjaquith.wordpress.com/2006/05/28/subscribe-to- 
Mark Jaquith

More information about the wp-hackers mailing list