pseudo-flaw.net

In case you missed it, a few weeks ago the Light Blue Touchpaper blog got popped because of a WordPress vulnerability. Don't feel bad; you may have blinked.

What makes this notable is that Steven J. Murdoch followed up by pointing out the obvious. Yes, WordPress authentication and cookie handling are atrociously bad. But it appears a slight omission was made in the Solution section:

- QUIT USING WORDPRESS

Seriously. Could it be anymore clear?

Oh, and one more thing. Ignoring the apparent flaws in this approach, assume P is your password and MD5(P) is stored in the database; to authenticate, P is submitted, and MD5(P) is computed and compared to the stored database value. Doesn't that mean that if P is submitted in clear text and is sniffed or captured, the value can simply be replayed for any future authentication session? That's pretty bad, right? If you agree, then consider that P is actually MD5(password).

From Murdoch's potential fixes:

The problem occurs because it is easy to go from the password hash in the database to a cookie (i.e the application of MD5 is the wrong way around). The simplest fix is to store MD5(MD5(password)) in the database, and make the cookie MD5(password). This still makes it infeasible to retrieve the password from a cookie, but means that it is also infeasible to generate a valid cookie from the database entry.

So, if I can get my hands on your cookie, not only can I attempt to log in, I may also be able to get your real password. Depending on which you consider more likely, XSS or SQL injection, maybe WordPress isn't going the wrong way after all.