<h3 style="text-align: center;" class="storytitle" id="post-21"><strong><a href="http://xssworm.blogvis.com/21/xssworm/wordpress-0day-hacking-into-computers-now-easier-than-previously-believed-says-heise-security/" rel="bookmark" title="Permanent Link: Wordpress 0day: Hacking into computers now easier than previously believed, says Heise Security">
Wordpress 0day: Hacking into computers now easier than previously believed, says Heise Security</a></strong></h3><strong></strong><strong></strong><strong></strong><strong>"A design flaw in the <a href="http://wordpress.org/" target="_blank">
WordPress</a>
blog software authentication process makes it easier than previously
believed for attackers to compromise a system. Most content management
systems and blogs save user passwords as hashes in the underlying
database. So even if attackers were to get access to the hashes stored
in the database, for instance by means of an SQL injection hole, they
have not been able to do much with them up to now."</strong>
<p><strong>"Specifically, if they want to recover the passwords, they
would have to compare a hash with entries in a "rainbow table" – a
process that can take some time and may not work at all for long
passwords, for which there simply are no tables."</strong></p><strong></strong>
<p align="center"><strong><img src="http://images.vnunet.com/v7_images/generic/medium/pcw_ed.gif" alt="Ed Henning" align="top" height="110" width="185"></strong></p>
<p align="center"><strong>"A design flaw in the WordPress blog software
authentication process makes it easier than previously believed for
attackers to compromise a system."</strong></p><p><strong>"But according to a security advisory published by Stephen
J. Murdoch of the University of Cambridge, a property in WordPress can
be exploited to get access without the password. Instead of trying to
obtain the password, Murdoch used its hash to generate an
authentication cookie to gain access to the system. A member of the
core team behind The Onion Router (TOR) anonymization project, Murdoch
says that the MD5 hash only has to be hashed a second time with MD5.
According to his report, the authentication procedure implemented in
WordPress then looks like:</strong></p>
<p style="text-align: center;"><strong><tt> wordpresspass_<MD5(url)>=MD5(user_pass) </tt></strong></p>
<p><strong>Here, the URL is clearly spelled out, and <tt>user_pass</tt>
corresponds to the hash (MD5(password)). Along with the wordpressuser
cookie (that wordpressuser_<MD5(url)>=admin), access is then
reportedly provided to the WordPress admin account. Murdoch says he has
informed the developers of WordPress of the problem, but they have yet
to react."</strong></p><br>Please Mr Murdoch No more talking to the media about security. or maybe we create new media now (-;<br><br>vaj <br><br>-- <br>Francesco Vaj [CISSP - GIAC]<br>CSS Security Researcher<br>mailto:<a href="mailto:vaj@nospam.xssworm.com">
vaj@nospam.xssworm.com</a><br>aim: XSS Cross Site <br>------<br>XSS Cross Site Scripting Attacks<br>Media Manipulation and Web 2.0 Insecurity Blog (tm) 2007<br><a href="http://www.XSSworm.com/">http://www.XSSworm.com/</a>
<br>------<br>"Vaj, bella vaj."