Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 199833 - www-apps/wordpress Cookie Authentication Vulnerability (CVE-2007-6013)
Summary: www-apps/wordpress Cookie Authentication Vulnerability (CVE-2007-6013)
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://trac.wordpress.org/ticket/5367
Whiteboard: ~3? [masked]
Keywords:
Depends on: 168529
Blocks:
  Show dependency tree
 
Reported: 2007-11-20 21:32 UTC by Robert Buchholz (RETIRED)
Modified: 2008-02-16 00:44 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 21:32:15 UTC
CVE-2007-6013 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6013):
  Wordpress 1.5 to 2.3.1 uses cookie values based on the MD5 hash of a password
  MD5 hash, which allows attackers to bypass authentication by obtaining the
  MD5 hash from the user database, then generating the authentication cookie
  from that hash.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 21:34:36 UTC
web-apps, please advise.
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2007-12-02 14:40:27 UTC
I fail to see this as a vulnerability. Our install instructions instruct the user to create a mysql database for wordpress but by default this will not be readable to any outsider.

I consider the situation that an external attacker can gain read access to a mysql db holding web application data as a user misconfiguration.

I'd suggest to close this. 
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-12-03 01:26:20 UTC
It could be used in combination with other vulnerabilities, such as SQL injection flaws that allow reading from the database. I agree this is a low priority, but since upstream is actively dealing with it, I don't see a point why we should not track the issue and bump once they backport a patch to the 2.3 branch.
Comment 4 Gunnar Wrobel (RETIRED) gentoo-dev 2008-01-08 06:32:23 UTC
Just a note: Still present in 2.3.2
Comment 5 Matthew Dirks 2008-01-11 18:13:12 UTC
I agree with Gunnar's view on this. This really boils down to a configuration problem rather than a serious application weakness. -1 vote from me on this one.

It's true that basing the authentication cookie value off the password's MD5 hash is not the best way to provide a unique session identifier for authentication. Still, utilizing the exploit requires access to the database in the first place and since they already have access to the data, they won't necessarily need to utilize this "exploit" to cause problems as if they gotten access to the data in the first place there's a fair chance they have (or will soon have) edit and delete permissions to that data. Even if they don't get editing capability, simply viewing information can be damaging if it's meant to be very restricted information.

Basically, it's like putting a stronger locking mechanism on the only door when someone's already gone and broken the window (... or in some cases they've peeked into the window and saw a something relating to an access code written out on a sheet of paper which is sitting on a table adjacent to the window).

Personally, I can't believe several other parties actually see this as a vulnerability since something else has to be vulnerable to a greater degree for this to be exploitable and it becomes less likely that WordPress would even be the means by which any damage is done once access to the database is obtained (read or otherwise).
Comment 6 Matthew Dirks 2008-01-11 18:18:05 UTC
I forgot to note that they could just steal the cookie as well, but the situation remains generally the same in that they have access to something they're not supposed to have access to and, though that access, gain access to other things.
Comment 7 Gunnar Wrobel (RETIRED) gentoo-dev 2008-02-15 09:45:12 UTC
Bumped to 2.3.3 and www-apps/wordpress got hard masked again.

Guess this should be closed then. At least I assume that web-apps is done here since it is masked again ;)
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-15 18:54:44 UTC
I guess we can close this one then?
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-02-16 00:44:30 UTC
Let's only have one "wordpress is bad" bug open for tracking, bug 168529.