Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 454038 - <www-apps/wordpress-3.5: Improper validation of session cookie (CVE-2012-5868)
Summary: <www-apps/wordpress-3.5: Improper validation of session cookie (CVE-2012-5868)
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [upstream+]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-25 15:59 UTC by GLSAMaker/CVETool Bot
Modified: 2015-04-22 00:25 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-01-25 15:59:28 UTC
CVE-2012-5868 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5868):
  WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an
  administrator's logout action, which makes it easier for remote attackers to
  discover valid session identifiers via a brute-force attack, or modify data
  via a replay attack.
Comment 1 Samuel Damashek (RETIRED) gentoo-dev 2013-12-23 01:23:49 UTC
Debian contacted upstream and this was their response:

"""
WordPress does not have session management on the server-side. Currently:
* Cookies are only valid as long as they were originally designed to
expire. They may be replayed until they timeout.
* They are hashed so they cannot be used after their original intended
expiration.
* In general one should be using the WordPress admin over SSL if leaking a
cookie is a concern: http://codex.wordpress.org/Administration_Over_SSL.

WordPress takes sensible precautions with these cookies:
* When running over SSL WordPress ensures to set secure flag on cookies
* It sets the HTTPOnly flag so that they are not accessible by javascript
* It invalidates the cookies in the browser.

We are looking into some potential changes to our authentication system to
allow for explicit session termination, but do not have a timeline at this
time.
"""

Upstream cannot fix the bug. What should be done next?
Comment 2 Sebastian Pipping gentoo-dev 2015-04-21 17:51:20 UTC
With 3.8.5 being the latest version in Gentoo I vote for closing as obsolete.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 00:25:45 UTC
Package is no longer in tree. Closing.