Bug 889289 (CVE-2012-5868)
Summary: | CVE-2012-5868 wordpress: session cookie not invalidated on explicit logout | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED UPSTREAM | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | fedora, gwync |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:59:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 889290, 889291 | ||
Bug Blocks: |
Description
Vincent Danen
2012-12-20 17:24:23 UTC
Created wordpress tracking bugs for this issue Affects: fedora-all [bug 889290] Affects: epel-all [bug 889291] Debian got in touch with upstream and this was their reply [1]: """ WordPress does not have session management on the server-side. Currently: * Cookies are only valid as long as they were originally designed to expire. They may be replayed until they timeout. * They are hashed so they cannot be used after their original intended expiration. * In general one should be using the WordPress admin over SSL if leaking a cookie is a concern: http://codex.wordpress.org/Administration_Over_SSL. WordPress takes sensible precautions with these cookies: * When running over SSL WordPress ensures to set secure flag on cookies * It sets the HTTPOnly flag so that they are not accessible by javascript * It invalidates the cookies in the browser. We are looking into some potential changes to our authentication system to allow for explicit session termination, but do not have a timeline at this time. """ [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696868#37 Upstream leaves the logout functionality entirely in the clients' hands. Arguably, this is not a flaw since the premise of the flaw is that the "session cookie is not being invalidated on the server", but the server has no notion of the session cookie other than "has it expired / is it valid" and relies on the browser to do the "logout". The server certainly doesn't keep track of the cookies/sessions. If an attacker gets that cookie, and it hasn't expired, yes, it would give them access. Using SSL is a very reasonable workaround. This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |