[wp-hackers] Wordpress Cookie Authentication Vulnerability

Wed Nov 21 05:37:52 GMT 2007

Ermm... just to point out: you would add the second SALT column *after*
you're database has been compromised.

On 11/21/07, Computer Guru <computerguru at neosmart.net> wrote:
>
> Unfortunately not.
>
> There are libraries available in other languages, but MD5 has been the
> "standard" in PHP-based web-apps for too long.
>
> I find myself linking, once again, to Jeff Atwood's excellent article:
> http://www.codinghorror.com/blog/archives/000953.html
>
> This section jumps out at me in the current context:
> *********
> *Do not invent your own "clever" password storage scheme*. I know, you're
> smart, and you grok this crypto stuff. But through this door lies madness--
> and abominations like LMHash <http://en.wikipedia.org/wiki/LM_hash> that
> have ongoing, worldwide security ramifications we're still dealing with
> today. Take advantage of whatever password storage tools your framework
> provides, as they're likely to be a heck of a lot better tested and more
> battle-proven than any crazy scheme you and your team can come up with on
> your own. Security vulnerabilities, unlike functionality bugs in your
> application, run deep and silent. They can lay dormant for years.
> ********
>
>
> At any rate, my REALLY simple answer to the whole "having passwords in the
> db means crackers can fake cookies" problem:
> Add a second SALT column to your database. Make password hashes
> twice-salted; therefore effectively:
> 1) Rendering all existing hashes useless
> 2) Logging out all users
> 3) Preserving backwards compatibility in that you can use the data you
> already have to make the new hash.
>
> Only problem is, it probably doesn't work too well for a published package
> like WP.... It's fine for company XYZ running their own software, hosted
> in-house, w/ real coders available to make the change on demand; it
> addresses all the problems; and it's easy to use.... but it definitely won't
> work when you're distributing the code for others to deploy..........
>
>
> -CG
>
> On 11/21/07, Otto <otto at ottodestruct.com> wrote:
> >
> > Great! Now that you like the idea, let me shoot it down. :)
> >
> > This approach prevents "staying logged in" on multiple computers. I
> > login from work and home. I leave my cookie on both, and have no
> > issues. With this approach, I have to login every time, since the BRS
> > keeps changing. Can true session ID's solve this?
> >
> > Longer term answer: Why are we building this logic ourselves anyway?
> > This seems like it should be a solved problem. Is there no PHP library
> > that will do this for us?
> >
> > -Otto
> >
> >
> >
> > On 11/20/07, Bas Bosman <wordpress at nazgul.nu> wrote:
> > > > Is there any reason in particular WP is using MD5 as opposed to a
> > > > stronger algorithm?
> > >
> > > Yes, because WordPress still supports PHP 4.2, which doesn't really
> > have
> > > any good support for a stronger algorithm.
> > >
> > > But as mentioned in the Trac ticket. MD5 isn't the issue here. The
> > issue
> > > is that we have a guessable cookie, based on read-only database access
> > or
> > > non-ssl network sniffing.
> > >
> > > I think Otto gave a nice overview of a possible solution. Which can
> > > optionally be enhanced by linking login cookies to ip-adresses to
> > further
> > > minimize the chances of cookie stealing. (Mark the optional, because
> > it
> > > can have unwanted side-effects in some network setups)
> > >
> > > Regards,
> > > Bas Bosman (Nazgul)
> > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> Computer Guru
> Director,
> NeoSmart Technologies
> http://neosmart.net/blog/
>

-- 
Computer Guru
Director,
NeoSmart Technologies
http://neosmart.net/blog/