[wp-hackers] Wordpress Cookie Authentication Vulnerability

Jacob wordpress at santosj.name
Thu Nov 22 05:45:08 GMT 2007 

Jacob wrote:
> I agree that this should move from discussions on how to do it to 
> actually doing something.
Although, I technically break this myself. I'm god, so I'm exempt from 
following what I say.
>
> What Travis Snoozy said is accurate, WordPress has a salt and hashing 
> function now (last two functions in pluggable.php) also most of what 
> you need is contained in pluggable.php also.
I'm not saying Travis is right about salt and hashing, I don't remember 
him talking about that, I'm saying he is correct about being able to 
redefine what WordPress writes in the cookie without playing with core.
>
> The only thing you would need to do to create a permanent user id, is:
>
> 1. Override the wp_get_cookie_login() function since it has to return 
> the clear text username and MD5 password. Really, this step is not 
> required if you hook into the wp_authenticate action and reference the 
> two parameters to get the username and password.
>
> 2. wp_setcookie() function needs to be overwritten, since it does the 
> double hashing of the password. Using the method [1] described in the 
> ticket [2], I would say that it should be this method. Whether or not 
> the session id is given is up in the air (
>
> session_set_cookie_params(31536000, COOKIEPATH);
> session_start();
>
> ), then use the session id in the with the method.
>
> 3. wp_clearcookie(), only if you replace USER_COOKIE and PASS_COOKIE 
> with something else in the plugin or core.
>
> In which case, it could be entirely possible to use 
> session_set_cookie_params and sessions completely instead of setting 
> the username and password in the cookie and keep the session for as 
> long as the user doesn't sign out or destroy is the visitor isn't 
> signed in (no reason to keep session for as long as the cookie.
>
> I say, two such plugins are in order. One which takes the complete 
> session based approach for those whose hosts don't suck and the other 
> which still uses the cookie approach.
>
> 4. In registration.php, wp_insert_user() would have to be used to use 
> wp_hash(). However, this step is something entirely different and not 
> part of the issue. However, I would rather like it if I could say, use 
> MySQL AES instead to encrypt the password, which from what I can see, 
> I can't really do (haven't looked at wp_register.php).
>

The references:

[1] http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

[2] http://trac.wordpress.org/ticket/5367#comment:12

-- 

Jacob Santos

http://www.santosj.name - blog
http://wordpress.svn.dragonu.net/unittest/ - unofficial WP unit test suite.

Also known as darkdragon and santosj on WP trac.

More information about the wp-hackers mailing list