WordPress cookie vulnerability

It seems the WordPress developers have made some wrong decisions in their use of MD5. Full details are in this announcement. In summary, the hash in the cookie for authentication contains MD5(MD5(password)) and the database MD5(password). This means that anyone with access to the hash from the database can pretend to be this user. Whoops. This shows that once again that security is hard as people consistently make the same mistakes.

More details and background on the Security Group blog.

5 thoughts on “WordPress cookie vulnerability

  1. robster

    @Kai:

    An XSS vulnerability or a backup could leak the read only contents of the database. And yes, you’re right that if your passwords are weak then they could be brute forced. But this vulnerability means that no hard computation is necessary at all to pretend to a user.

    One of the proposed solutions is to make the entry in the database store the double hash and then have the single hash in the cookie. To authenticate the user the cookie hash is hashed again and compared to the version in the database.

    In no way am I implying that WordPress is poor quality software, compared with many similar systems out there it is leader of the pack. My point was to increase the awareness of the flaw in this seemingly good strategy so that hopefully others won’t make the same mistakes.

    Reply
  2. Abel Cheung

    Sadly, robster you might be disappointed. Take the exact example above, there was no response even after repeated attempt to send to security@wordpress.org, and it was not discussed before advisory is made public and exploit is known.

    And indeed, this one is not the first example, among those advisories I bother to check, more than 50% are not dealt with until exploits are available or widely known. (note that my number can possibly be biased)

    Reply
  3. Jan Hudec

    Either the information visible on the network or the information in the database is always sufficient to impersonate given user.

    The only way around this is public key cryptography, which is not usable with cookies (HTTP PLAIN authentication with SSL would be OK).

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *