[UNIX] Wordpress Cookie Integrity Protection Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 28 Apr 2008 14:26:41 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Wordpress Cookie Integrity Protection Vulnerability
An attacker, who is able to register a specially crafted username on a
Wordpress 2.5 installation, is able to generate authentication cookies for
other chosen accounts.
This vulnerability exists because it is possible to modify authentication
cookies without invalidating the cryptographic integrity protection.
If a Wordpress blog is configured to freely permit account creation, a
remote attacker can gain Wordpress-administrator access and then elevate
this to arbitrary code execution as the web server user.
The vulnerability is fixed in Wordpress 2.5.1.
* Wordpress version 2.5
* Wordpress version 2.51
Since version 2.5, Wordpress authenticates logged-in users through a
cryptographically protected cookie, based on papers by Fu et al  and
Liu et al . This measure was introduced partly in response to
vulnerability CVE-2007-6013 [3,4].
The new cookies are of the form:
"wordpress_".COOKIEHASH = USERNAME . "|" . EXPIRY_TIME . "|" . MAC
COOKIEHASH: MD5 hash of the site URL (to maintain cookie uniqueness)
USERNAME: The username for the authenticated user
EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
MAC: HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived from a secret
and USERNAME . EXPIRY_TIME.
The flaw in this scheme is that USERNAME and EXPIRY_TIME are not delimited
in the MAC calculation. Hence the cookie may be modified, without altering
MAC, provided that the concatenation of USERNAME and EXPIRY_TIME remains
This class of vulnerability, the cryptographic splicing attack, was
commented on by Fu et al , but Wordpress does not employ their
An attacker wishing to exploit this vulnerability would therefore create
an unprivileged account with its username starting with "admin". The
cookie returned on logging into this account can then be manipulated so as
to be valid for the administrator account.
A remote attacker, who can create an account with specially crafted
username, is able to gain administrator level access to the Wordpress
installation. Through standard techniques, this can be escalated to
arbitrary PHP code execution as the web server system user.
Upgrade to Wordpress 2.5.1
- De-select "Anyone can register" in the Membership section of General
Settings to disable account creation.
 Dos and Don'ts of Client Authentication on the Web, Kevin Fu, Emil
Sit, Kendra Smith, Nick Feamster
 A Secure Cookie Protocol, Alex X. Liu, Jason M. Kovacs, Chin-Tser
Huang, Mohamed G. Gouda
 Wordpress Cookie Authentication Vulnerability: CVE-2007-6013 Steven J.
2008-04-22: security@xxxxxxxxxxxxx notified - Confirmation of receipt
2008-04-25: Wordpress 2.5.1 released incorporating patch - Vulnerability
The information has been provided by
<mailto:bugtraq+Steven.Murdoch@xxxxxxxxxxxx> Steven J. Murdoch.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] SSL Capable NetCat
- Next by Date: [NT] Insufficient Argument Validation of Hooked SSDT Functions on Multiple Antivirus and Firewalls
- Previous by thread: [TOOL] SSL Capable NetCat
- Next by thread: [NT] Insufficient Argument Validation of Hooked SSDT Functions on Multiple Antivirus and Firewalls