WordPress.org

Ready to get started?Download WordPress

Forums

Old bug CVE-2012-5868 (3 posts)

  1. Craig
    Member
    Posted 7 months ago #

    I've recently been reviewing the bugs for the Debian wordpress package and came across Bug 696868 which also has a CVE number.

    Now this is for an old wordpress version 3.4.2 but I cannot find any reference anywhere saying it got fixed and if it did get fixed which version is ok.

    The bug report also seems to have a quote from someone in WordPress saying in 2013 they didn't think it was too bad, but were looking at fixing it.

    Any idea where this bug is at? I'd like to clear it off the Debian BTS and have it fixed or resolved some other way.

  2. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 months ago #

    It is not a bug, as such. The report is somewhat confused and slightly misleading.

    WordPress does not use "sessions" and so it is not actually vulnerable to "session replay" attacks. In this sense, the report is incorrect.

    Instead, the cookie sent to WordPress users has all the necessary information to identify and authenticate that user. So, it is potentially vulnerable to a different kind of attack known as a "cookie hijacking" attack.

    The concern is that if somebody manages to steal your cookies, then they can login as you, for a little while. WordPress mitigates this risk in several ways.

    First, the cookies contain a timeout as part of their content. They are only valid for the original time they were issued, and cannot be used indefinitely.

    Second, the cookies used for administrative tasks are different than the cookies used for the "front end" of the site. Simply viewing your site and having the front-end cookie stolen is not enough to gain access to your site.

    Third, all cookies are marked for HTTP-Only delivery, which makes them inaccessible to Javascript code (barring exploits in the browser).

    Fourth, if running over SSL, the SSL flag is set for cookies, meaning that they will only be delivered over encrypted connections.

    In general, cookie hijacking is not a major concern. Other exploits are more common (with the most common being somebody simply finding out your password).

    See, to successfully perform cookie hijacking, the attacker must be able to a) intercept your traffic and then b) use it within the limited time period that the cookie is valid (2 days by default). If this is a major concern for your situation, then using the "Admin over SSL" feature of WordPress will cause the admin cookies (the ones that let you do things) to be always encrypted. Additionally, changing the password of a user invalidates all their old cookies immediately, so that can be used to close any holes the instant an intrusion via this method is suspected.

    More information about Admin over SSL can be found here:
    http://codex.wordpress.org/Administration_Over_SSL

    WordPress is constantly looking for ways to improve security, and it is possible that as new attacks become known in the future, the core code will change to address these forms of attacks.

    This particular issue, along with similar aspects, is being discussed publicly in this ticket:
    https://core.trac.wordpress.org/ticket/20276

  3. Craig
    Member
    Posted 6 months ago #

    Thanks Samuel, I have updated the Debian bug tracker with some more details.
    I thought the underlying problem was that if you logout then someone could use the cookies to "revive" the session. As I didn't report this and have adopted the Debian package only recently that take might be wrong. I was surprised by that, because session_destroy() is supposed to make that not happen.

Reply

You must log in to post.

About this Topic

Tags

No tags yet.