Vulnerability in WordPress cookie authentication
A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now. Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a "rainbow table" – a process that can take some time and may not work at all for long passwords, for which there simply are no tables.
But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:
Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react.
He also says that the design flaw is already being exploited, though he has not explained how attackers get to the password hash. No SQL injection vulnerabilities are known in the current version of WordPress. However, previous installations may still be vulnerable.
- Wordpress Cookie Authentication Vulnerability, Steven J. Murdoch's security advisory