WordPress Weak Pseudorandom Number Generator Lets Remote Users Predict Password Reset Tokens
SecurityTracker Alert ID: 1031749|
SecurityTracker URL: http://securitytracker.com/id/1031749
(Links to External Site)
Date: Feb 13 2015
Disclosure of authentication information|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability was reported in WordPress. A remote user may be able to predict the password reset token.|
The pseudorandom number generator is not sufficiently random. Windows-based systems are affected.
A remote user can exploit this to predict the password reset token.
The vendor was notified on June 25, 2014.
Scott Arciszewski reported this vulnerability.
A remote user may be able to predict the password reset token and gain access to the target site.|
A proposed patch is available at:|
Vendor URL: wordpress.org/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [FD] CVE-2014-6412 - WordPress (all versions) lacks CSPRNG|
Ticket opened: 2014-06-25
Affected Versions: ALL
Problem: No CSPRNG
Patch available, collecting dust because of negligent (and questionably
competent) WP maintainers
On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a
cryptographically secure pseudorandom number generator, since none was
present (although it looks like others have tried to hack together a
band-aid solution to mitigate php_mt_seed until WordPress gets their "let's
support PHP < 5.3" heads out of their asses).
For the past 8 months, I have tried repeatedly to raise awareness of this
bug, even going as far as to attend WordCamp Orlando to troll^H advocate
for its examination in person. And they blew me off every time.
If anyone with RNG breaking experience (cough solar designer cough) can PoC
it, without the patch I've provided you should be able to trivially predict
the password reset token for admin users and take over any WordPress site
Eight fucking months.
Patch available with unit tests and PHP 5.2 on Windows support at
Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/