Wordpress 0day: Hacking into computers now easier than previously believed, says Heise Security

November 20, 2007 @ 12:16 pm · Filed under 0day exploits, Cross Site Cooking, Cross Site Request Forging, Cross Site Scripting, Reflective XSS Hacking, Web Application Security, Wordpress Exploits, Wordpress Hacking, XSS Worm

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now.”

http://en.wikipedia.org/wiki/Password_Cracking

“Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a “rainbow table” – a process that can take some time and may not work at all for long passwords, for which there simply are no tables.”

“But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:

wordpresspass_<MD5(url)>=MD5(user_pass)

Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react.”

http://en.wikipedia.org/wiki/HTTP_cookie

Ed Henning

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system.”

This attack is very dangerous 0day for wordpress 2.3, and it only requires the hacker to compromise adminitrator access to wordpress using another more serious hole, and then instead of using admin access or creating new users or modifying user or backdoor into wordpress, he can take encrypted md5 from hacked database and gain access as a user to the wordpress he has previously hacked. All user are encouraged for upgrades. See more:

Sources:

http://heise-security.co.uk/ - Security and Internet Security Expert Consultants.

http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt

These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • blinkbits
  • BlinkList
  • blogmarks
  • BlogMemes
  • Book.mark.hu
  • Bumpzee
  • co.mments
  • connotea
  • De.lirio.us
  • DotNetKicks
  • DZone
  • Fark
  • feedmelinks
  • Fleck
  • Furl
  • Gwar
  • Haohao
  • Hemidemi
  • IndiaGram
  • IndianPad
  • Internetmedia
  • kick.ie
  • LinkaGoGo
  • Linkter
  • Ma.gnolia
  • MisterWong
  • MyShare
  • Netscape
  • Netvouz
  • NewsVine
  • PlugIM
  • PopCurrent
  • ppnow
  • RawSugar
  • Rec6
  • Reddit
  • scuttle
  • Shadows
  • Simpy
  • Slashdot
  • Smarking
  • SphereIt
  • Spurl
  • StumbleUpon
  • Taggly
  • TailRank
  • Technorati
  • ThisNext
  • Webride
  • Wists
  • YahooMyWeb

2 Comments »

  1. pdp Said,

    November 23, 2007 @ 8:01 am

    maybe these 0day XSS used in mac exploits

    http://xssworm.blogvis.com/27/xssworm/mac-sites-are-being-hacked-by-blackhat-xss-hackers/

  2. Used Laptop Said,

    November 5, 2008 @ 6:58 am

    Your link is quite informative but have you thought that those people who were unaware of its flaw try to to take advantage of this information and use it for there ill purposes.

RSS feed for comments on this post

Leave a Comment