Bug 392411 (CVE-2007-6013)

Summary: CVE-2007-6013 wordpress cookie authentication vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: John Berninger <john>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adrian, john
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6013
Whiteboard:
Fixed In Version: wordpress-2.5.1-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-07 14:24:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 426432, 426433, 426434    
Bug Blocks:    

Description Tomas Hoger 2007-11-20 14:26:28 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6013 to the following vulnerability:

Wordpress 1.5 to 2.3.1 uses cookie values based on the MD5 hash of a
password MD5 hash, which allows attackers to bypass authentication by
obtaining the MD5 hash from the user database, then generating the
authentication cookie from that hash.

References:
http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-auth.txt
http://www.securityfocus.com/archive/1/archive/1/483927/100/0/threaded


According to the advisory, there are multiple flaws in the way wordpress
handles authentication cookies (e.g. stolen cookie can be reused until password
is changed, cookie is not generated per login session, ...), so stealing
password MD5 hash from DB is probably not the only attack vector.

Moreover, there does not seem to be any official upstream fix at the moment.
Comment 1 Adrian Reber 2007-11-20 17:10:38 UTC 
Reading the reference I have no idea how to fix it but then just waiting for the
next wordpress release.
Comment 2 Adrian Reber 2007-11-20 17:32:53 UTC 
http://trac.wordpress.org/ticket/5367
Comment 3 Tomas Hoger 2007-11-21 10:40:02 UTC 
Adrian, thanks for the upstream bug link!
Comment 5 Tomas Hoger 2008-05-07 14:24:09 UTC 
New cookie hashing method was introduced in wordpress 2.5 (with it's own issues
- CVE-2008-1930), so closing this bug.