[wp-hackers] Randy rands

Viper007Bond viper at viper007bond.com
Wed Sep 3 14:32:42 GMT 2008


Ah, okay. Nevermind then. :)

On Wed, Sep 3, 2008 at 7:13 AM, Otto <otto at ottodestruct.com> wrote:

> No, it's an actual security flaw, although not an easily exploitable
> one, and it's not really a flaw in WordPress. It's all about weak
> seeding in other programs running on the same php instance.
>
> WordPress does not call mt_srand to seed the generator. And this is
> fine, PHP seeds it itself internally. But if you're using mod_php <
> 5.2.6, then it's not reseeded every call, only at startup. If some
> other system seeds it poorly, and leaks the mt_rand() value, then you
> can predict the next mt_rand() value and exploit it. In particular,
> with WordPress, you can exploit the "lost password" function, predict
> the generated activation key, and reset the password on any user
> account.
>
> Here's an exploit that uses a flawed piece of software (phpBB) to both
> seed the generator and grab the state of mt_rand. Once it knows the
> next mt_rand, it can hack into WordPress, because WordPress does not
> do any seeding on it's own, and is using the same seed as was there
> already (assuming mod_php < 5.2.6):
> http://raz0r.name/wp-content/uploads/2008/08/wp1.html
>
> -Otto
>
>
> On Tue, Sep 2, 2008 at 10:22 PM, Viper007Bond <viper at viper007bond.com>
> wrote:
> > It's just improved security, not a security flaw if I'm reading it right.
> No
> > different from ditching MD5 password storage or using the better cookies
> > (again, if I understand the issue).
> >
> > On Tue, Sep 2, 2008 at 11:35 AM, Otto <otto at ottodestruct.com> wrote:
> >
> >> I noticed http://trac.wordpress.org/changeset/8728 and
> >> http://trac.wordpress.org/changeset/8749 the other day. It occurred to
> >> me that since this is a fix for a security issue, it might be
> >> worthwhile to backport it to 2.0.11 as well, since that's being
> >> supported until 2010.
> >>
> >> Any plans on that?
> >>
> >> -Otto
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> >
> >
> > --
> > Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Viper007Bond | http://www.viper007bond.com/ | http://www.finalgear.com/


More information about the wp-hackers mailing list