Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [wp-hackers] Security: Oracle and WordPress

On Jun 22, 2006, at 3:08 PM, Doug Stewart wrote:

AFAICS, that vulnerability isn't a WordPress one, but rather a flaw in
Mark's Subscribe to Comments.

The flaw is a shared one. It isn't a flaw in my plugin alone, nor is it a flaw in WordPress alone, it is a combined flaw, that enables exploitation of a flaw that exists solely in WordPress versions 2.0, 2.0.1 and 2.0.2. That is, there was no security risk using my plugin until WordPress 2.0 was released. Because of that, upgrading to Subscribe to Comments 2.0.4 OR upgrading to WordPress 2.0.3 closes the joint vulnerability (but you should upgrade WordPress to 2.0.3 anyway, because there are other security issues in 2.0.2).

Basically, I chose a certain md5 hash with a certain salt. 6-12 months later, WP 2.0 was released with a hash that was salted the same way. If you registered a WP account with your user name as an e- mail address, you could get the Subscribe to Comments hash to match your WP user hash, and then know the location of your user cache files. You could then use an input sanitization bug in WP to write executable data to your user cache file, and you'd know where it was located so you could run it.

Steven J. Murdoch, who wrote that article, contacted me almost a month ago and relayed this information to me. I released Subscribe to Comments 2.0.4 [1] on May 28th, to protect people until WP 2.0.3 came out a few days later.

[1] http://markjaquith.wordpress.com/2006/05/28/subscribe-to- comments-204/
Mark Jaquith

_______________________________________________ wp-hackers mailing list wp-hackers@xxxxxxxxxxxxxxxxxxxx http://lists.automattic.com/mailman/listinfo/wp-hackers

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index