WordPress.org

Forums

Security Audit - Questions (2 posts)

  1. Ninestein
    Member
    Posted 3 years ago #

    Hi there,

    So one of our clients has been running security audits of a WordPress site, and has come back with some questions. To give some background, the site is running in SSL mode (entire site), admin tool is IP blocked, and every plugin is up to date. It's also a site where users can sign-up and have a profile as a subscriber.

    There's a few items that I do not really want to address as they are part of the core of WordPress (something I've explicitly said we will not modify under any circumstances), so I was wondering if anyone had any easy fixes for these, or if they need to be added to the WordPress roadmap:

    1. _wpnonce token passed in URL. I have tracked this down to be solely in the admin tool, and related primarily to deleting items. I have circumvented this issue by IP restricting the admin tool so it is minor, but maybe this is something that should look to using JQuery to enable them as POST requests.
    2. Session Cookie not set with secure flag. As the site is running completely in SSL mode, cookies need to be set as secure. It is setting the wordpress_sec_XXXXX cookie as secure, but not the wordpress_logged_in_XXXX cookie. Any way to force this to be secure too? I have tried using session_set_cookie_params() and setting that as ssl, but that didn't do the trick.
    3. Logout link does not destroy the session. When a user clicks the logout, the cookie is deleted, but it does not invalidate the old session making it possible for an attacker to potentially hijack a user's session using the stolen ID even after logging out.

    There were some other items like sessions not timing out, but I have highlighted that this is by design as users want to stay logged in.

    If anyone has any feedback or tips on how to address those, please let me know.

    Thanks

  2. Always good when a security audit occurs and people should look at these things for software they use.

    _wpnonce token passed in URL.

    That's not a bad thing and worries me that that would come up as a finding (read as: does the reviewer understand what a nonce is?)

    Nonces are an added security benefit. Don't try to remove them, you'll lose the benefit.

    http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/
    http://en.wikipedia.org/wiki/Cryptographic_nonce

    Session Cookie not set with secure flag

    Making WordPress 100% SSL based has always been a real challenge. Usually it's possible to set the cookies for the cookies you really care about.

    Set this wp-config.php option and re-examine the cookies again. On my installation wordpress_sec_* are Encrypted connections only but the rest came up as clear or encrypted.

    define('FORCE_SSL_ADMIN', true);

    Also rather than modify core code (always a bad idea) try a plugin instead.

    http://wordpress.org/extend/plugins/wordpress-https/
    http://codex.wordpress.org/Administration_Over_SSL
    http://ryan.boren.me/2008/07/14/ssl-and-cookies-in-wordpress-26/

    Logout link does not destroy the session ... making it possible for an attacker to potentially hijack a user's session

    Really? If someone could pull that off via valid PoC code let security [at] wordpress.org know right now. But while it's possible in theory, in practice it's a different story.

    Edit: Please note, I'm not criticizing the findings, the request, or the OP. Security audits when done with the right understanding are valuable and these are valid questions.

Topic Closed

This topic has been closed to new replies.

About this Topic