Full Disclosure mailing list archives



CVE-2014-6412 - WordPress (all versions) lacks CSPRNG

Ticket opened: 2014-06-25 Affected Versions: ALL Problem: No CSPRNG Patch available, collecting dust because of negligent (and questionably competent) WP maintainers On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a cryptographically secure pseudorandom number generator, since none was present (although it looks like others have tried to hack together a band-aid solution to mitigate php_mt_seed until WordPress gets their "let's support PHP < 5.3" heads out of their asses). For the past 8 months, I have tried repeatedly to raise awareness of this bug, even going as far as to attend WordCamp Orlando to troll^H advocate for its examination in person. And they blew me off every time. If anyone with RNG breaking experience (cough solar designer cough) can PoC it, without the patch I've provided you should be able to trivially predict the password reset token for admin users and take over any WordPress site completely. Eight fucking months. Patch available with unit tests and PHP 5.2 on Windows support at https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch Scott https://scott.arciszewski.me @voodooKobra _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/

By Date By Thread

Current thread: