CVE-2007-6013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6013): Wordpress 1.5 to 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash.
web-apps, please advise.
I fail to see this as a vulnerability. Our install instructions instruct the user to create a mysql database for wordpress but by default this will not be readable to any outsider. I consider the situation that an external attacker can gain read access to a mysql db holding web application data as a user misconfiguration. I'd suggest to close this.
It could be used in combination with other vulnerabilities, such as SQL injection flaws that allow reading from the database. I agree this is a low priority, but since upstream is actively dealing with it, I don't see a point why we should not track the issue and bump once they backport a patch to the 2.3 branch.
Just a note: Still present in 2.3.2
I agree with Gunnar's view on this. This really boils down to a configuration problem rather than a serious application weakness. -1 vote from me on this one. It's true that basing the authentication cookie value off the password's MD5 hash is not the best way to provide a unique session identifier for authentication. Still, utilizing the exploit requires access to the database in the first place and since they already have access to the data, they won't necessarily need to utilize this "exploit" to cause problems as if they gotten access to the data in the first place there's a fair chance they have (or will soon have) edit and delete permissions to that data. Even if they don't get editing capability, simply viewing information can be damaging if it's meant to be very restricted information. Basically, it's like putting a stronger locking mechanism on the only door when someone's already gone and broken the window (... or in some cases they've peeked into the window and saw a something relating to an access code written out on a sheet of paper which is sitting on a table adjacent to the window). Personally, I can't believe several other parties actually see this as a vulnerability since something else has to be vulnerable to a greater degree for this to be exploitable and it becomes less likely that WordPress would even be the means by which any damage is done once access to the database is obtained (read or otherwise).
I forgot to note that they could just steal the cookie as well, but the situation remains generally the same in that they have access to something they're not supposed to have access to and, though that access, gain access to other things.
Bumped to 2.3.3 and www-apps/wordpress got hard masked again. Guess this should be closed then. At least I assume that web-apps is done here since it is masked again ;)
I guess we can close this one then?
Let's only have one "wordpress is bad" bug open for tracking, bug 168529.