[wp-trac] Re: [WordPress Trac] #5367: Wordpress cookie
authentication vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Tue Nov 20 23:18:13 GMT 2007
#5367: Wordpress cookie authentication vulnerability
-------------------------------------+--------------------------------------
Reporter: sjmurdoch | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4
Component: Security | Version: 2.3.1
Severity: normal | Resolution:
Keywords: security, password, md5 |
-------------------------------------+--------------------------------------
Comment (by sjmurdoch):
@dougal
I didn't pick !WordPress arbitrarily, or because it is popular, but rather
because my !WordPress blog (and probably a large number of others) was
hacked using precisely this vulnerability.
And no, just because an attacker has '''had''' read access to your
database does not mean you've lost the battle. Using security measures
that have been standard since the 1970s (password hashing and salting), it
is quite easy to recover from such compromises, by restoring the database.
Then there is the well established principle of "defence in depth".
There are a variety of ways an attacker could get read access to the
database, while not being able to do anything more. For example, certain
SQL injection flaws can only read but not modify tables, or the attacker
could simply find a backup. Before I went public with this vulnerability,
I trawled Google for people who had left database backups online and
recommended that they remove the files.
Regarding fixes, I think it is possible to improve the security without
affecting user convenience at all. Salting passwords and hashing cookies
in the right direction would be a good start. Protecting data on the wire
(with SSL or otherwise) is nice, but a much less important issue than the
one raised here and in #2394.
--
Ticket URL: <http://trac.wordpress.org/ticket/5367#comment:11>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list