Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
WordPress Authentication Cookie Integrity Flaw Lets Remote Users Gain Administrative Privileges
|
|
SecurityTracker Alert ID: 1019923 |
|
SecurityTracker URL: http://securitytracker.com/id/1019923
|
|
CVE Reference:
CVE-2008-1930
(Links to External Site)
|
Date: Apr 25 2008
|
Impact:
User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 2.5 only
|
Description:
A vulnerability was reported in WordPress. A remote user can gain elevated privileges on the target application.
Part of the authentication cookie is not included within the message authentication code calculation. As a result, a remote user can modify authentication cookies in a manner that will not be detected by the cryptographic integrity protection.
A remote user that can register a username can register a specially crafted username beginning with the string "admin" and then modify the resulting cookie to gain administrative privileges on Wordpress.
The vendor was notified on April 22, 2008.
The original advisory is available at:
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
Steven J. Murdoch reported this vulnerability.
|
Impact:
A remote user can gain administrative privileges on the target application.
|
Solution:
The vendor has issued a fixed version (2.5.1), available at:
http://wordpress.org/download/
|
Vendor URL: www.wordpress.org/ (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 25 Apr 2008 17:02:35 +0100
Subject: [Full-disclosure] Wordpress 2.5 Cookie Integrity Protection
|
Wordpress 2.5 Cookie Integrity Protection Vulnerability
Original release date: 2008-04-25
Last revised: 2008-04-25
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
CVE ID: CVE-2008-1930
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>
Systems Affected:
Wordpress 2.5
Overview:
An attacker, who is able to register a specially crafted username on
a Wordpress 2.5 installation, is able to generate authentication
cookies for other chosen accounts.
This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.
If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.
The vulnerability is fixed in Wordpress 2.5.1
I. Description
Since version 2.5, Wordpress authenticates logged-in users through a
cryptographically protected cookie, based on papers by Fu et al [1]
and Liu et al [2]. This measure was introduced partly in response to
vulnerability CVE-2007-6013 [3,4].
The new cookies are of the form:
"wordpress_".COOKIEHASH = USERNAME . "|" . EXPIRY_TIME . "|" . MAC
Where:
COOKIEHASH: MD5 hash of the site URL (to maintain cookie uniqueness)
USERNAME: The username for the authenticated user
EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
MAC: HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived
from a secret and USERNAME . EXPIRY_TIME.
The flaw in this scheme is that USERNAME and EXPIRY_TIME are not
delimited in the MAC calculation. Hence the cookie may be modified,
without altering MAC, provided that the concatenation of USERNAME and
EXPIRY_TIME remains unchanged.
This class of vulnerability, the cryptographic splicing attack, was
commented on by Fu et al [1], but Wordpress does not employ their
recommended defence.
An attacker wishing to exploit this vulnerability would therefore
create an unprivileged account with its username starting with
"admin". The cookie returned on logging into this account can then be
manipulated so as to be valid for the administrator account.
II. Impact
A remote attacker, who can create an account with specially crafted
username, is able to gain administrator level access to the Wordpress
installation. Through standard techniques, this can be escalated to
arbitrary PHP code execution as the web server system user.
III. Solution
Upgrade to Wordpress 2.5.1
Workarounds:
- De-select "Anyone can register" in the Membership section of
General Settings to disable account creation.
References:
[1] Dos and Don'ts of Client Authentication on the Web,
Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster
http://pdos.csail.mit.edu/papers/webauth:tr.pdf
[2] A Secure Cookie Protocol,
Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
[3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013
Steven J. Murdoch,
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
[4] http://trac.wordpress.org/ticket/5367
Timeline:
2008-04-22: security@wordpress.com notified
Confirmation of receipt received
2008-04-25: Wordpress 2.5.1 released incorporating patch
Vulnerability notice published
--
w: http://www.cl.cam.ac.uk/users/sjm217/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
Go to the Top of This SecurityTracker Archive Page
|
