Details of new vulnerability in Wordpress

Last week, version 2.5.1 of Wordpress was released in response to the discovery of two vulnerabilities. Now, details concerning one of them have been revealed. According to an entry at the Full Disclosure security mailing list, attackers can use manipulated cookies to get access to user accounts, including the admin account. This access may also allow them to cause the Web server to execute arbitrary PHP code. The vulnerability only affects Wordpress branch 2.5 and the developer branch, in which the developers have implemented a new cookie registration procedure.

To exploit the flaw, attackers have to be able to register with the blog they want to infiltrate using a manipulated username. It turns out that an MD5 checksum intended to prevent cookies from being manipulated imposes no limit on the length of usernames and expiration times in the cookies. By means of a collision attack on the insecure MD5 hash algorithm, attackers can rewrite their valid logon cookie in order to use the shorter name. In light of the flood of spam on outdated Wordpress blogs, admins are advised to update vulnerable installations as soon as possible and check to see whether any usernames look suspicious.

The Wordpress developers point out that in version 2.5 configuration parameter SECRET_KEY, which contains a unique random value intended to make the new cookie handling system more secure, is used in the file wp-config.php. However, in the default configuration the phrase 'put your unique phrase here' is used. In older configuration files, it does not exist at all. Admins should make sure that an arbitrary string is entered for that parameter. The Wordpress devlopers have set up a website for the secret key, where you can generate an appropriate configuration line.

See also:

• Wordpress 2.5 Cookie Integrity Protection Vulnerability, details on the vulnerability at Full Disclosure
• Hidden spam epidemic among outdated WordPress blogs, heise Security report

(mba)