Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

wordpress: CVE-2012-5868: wp-login.php session termination failure

Related Vulnerabilities: CVE-2012-5868   cve-2012-5868  

Source

Debian Bug report logs - #696868
wordpress: CVE-2012-5868: wp-login.php session termination failure

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress (PTS, buildd, popcon).

Reported by: Henri Salo <henri@nerv.fi>

Date: Fri, 28 Dec 2012 14:45:01 UTC

Severity: important

Tags: security, upstream

Found in version wordpress/3.4.2+dfsg-1

Forwarded to https://core.trac.wordpress.org/ticket/20276

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#696868; Package wordpress. (Fri, 28 Dec 2012 14:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Fri, 28 Dec 2012 14:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability
Date: Fri, 28 Dec 2012 16:43:27 +0200
Package: wordpress
Version: 3.4.2+dfsg-1
Severity: important
Tags: security

Overview: WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.

CVSS Severity (version 2.0):
    CVSS v2 Base Score:2.6 (LOW) (AV:N/AC:H/Au:N/C:P/I:N/A:N) (legend)
    Impact Subscore: 2.9
    Exploitability Subscore: 4.9

CVSS Version 2 Metrics:
    Access Vector: Network exploitable
    Access Complexity: High
    Authentication: Not required to exploit
    Impact Type:Allows unauthorized disclosure of information

http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout

Please email me in case you need my help.

- Henri Salo

Changed Bug title to 'wordpress: CVE-2012-5868: wp-login.php session termination failure' from 'wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability' Request was from Henri Salo <henri@nerv.fi> to control@bugs.debian.org. (Fri, 28 Dec 2012 14:51:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#696868; Package wordpress. (Fri, 28 Dec 2012 14:57:07 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Fri, 28 Dec 2012 14:57:07 GMT) (full text, mbox, link).

Message #12 received at 696868@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: security@wordpress.org
Cc: 696868@bugs.debian.org
Subject: Questions about CVE-2012-5868
Date: Fri, 28 Dec 2012 16:55:46 +0200
Hello,

I read about vulnerability CVE-2012-5868[1], which is listed also in OSVDB[2]. Is this fixed in WordPress 3.5? I also created a bug-report for Debian issue tracker[3]. Is there a patch available to fix this issue?

1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5868
2: http://osvdb.org/88611
3: http://bugs.debian.org/696868

- Henri Salo

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#696868; Package wordpress. (Fri, 28 Dec 2012 17:42:05 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Fri, 28 Dec 2012 17:42:05 GMT) (full text, mbox, link).

Message #17 received at 696868@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>
To: Henri Salo <henri@nerv.fi>, 696868@bugs.debian.org
Subject: Re: Bug#696868: wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability
Date: Fri, 28 Dec 2012 18:39:20 +0100
On Fri, 28 Dec 2012, Henri Salo wrote:
> Please email me in case you need my help.

Does this apply to Wordpress 3.5 also ?

If yes, do you know of any patch ?

Where has this been submitted upstream ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#696868; Package wordpress. (Fri, 28 Dec 2012 17:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Fri, 28 Dec 2012 17:57:06 GMT) (full text, mbox, link).

Message #22 received at 696868@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: Raphael Hertzog <hertzog@debian.org>
Cc: 696868@bugs.debian.org
Subject: Re: Bug#696868: wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability
Date: Fri, 28 Dec 2012 19:52:50 +0200
On Fri, Dec 28, 2012 at 06:39:20PM +0100, Raphael Hertzog wrote:
> Does this apply to Wordpress 3.5 also ?

Don't know yet. Trying to find out.

> If yes, do you know of any patch ?

Not yet.

> Where has this been submitted upstream ?

Don't know. I only have CVE and http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout

- Henri Salo

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#696868; Package wordpress. (Fri, 01 Mar 2013 17:03:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Fri, 01 Mar 2013 17:03:03 GMT) (full text, mbox, link).

Message #27 received at 696868@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: Henri Salo <henri@nerv.fi>
Cc: Raphael Hertzog <hertzog@debian.org>, 696868@bugs.debian.org
Subject: Re: Bug#696868: wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability
Date: Fri, 1 Mar 2013 18:02:06 +0100
On Fri, Dec 28, 2012 at 07:52:50PM +0200, Henri Salo wrote:
> On Fri, Dec 28, 2012 at 06:39:20PM +0100, Raphael Hertzog wrote:
> > Does this apply to Wordpress 3.5 also ?
> 
> Don't know yet. Trying to find out.

Did you hear anything?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#696868; Package wordpress. (Tue, 05 Mar 2013 14:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Tue, 05 Mar 2013 14:06:03 GMT) (full text, mbox, link).

Message #32 received at 696868@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: Raphael Hertzog <hertzog@debian.org>, 696868@bugs.debian.org
Subject: Re: Bug#696868: wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability
Date: Tue, 5 Mar 2013 15:54:50 +0200
[Message part 1 (text/plain, inline)]
On Fri, Mar 01, 2013 at 06:02:06PM +0100, Moritz Mühlenhoff wrote:
> On Fri, Dec 28, 2012 at 07:52:50PM +0200, Henri Salo wrote:
> > On Fri, Dec 28, 2012 at 06:39:20PM +0100, Raphael Hertzog wrote:
> > > Does this apply to Wordpress 3.5 also ?
> > 
> > Don't know yet. Trying to find out.
> 
> Did you hear anything?
> 
> Cheers,
>         Moritz

Not yet. I can try to reproduce this manually.

--
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#696868; Package wordpress. (Sat, 09 Mar 2013 08:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Sat, 09 Mar 2013 08:15:03 GMT) (full text, mbox, link).

Message #37 received at 696868@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>
To: 696868@bugs.debian.org
Subject: reply from wordpress
Date: Sat, 9 Mar 2013 10:11:24 +0200
[Message part 1 (text/plain, inline)]
Andrew Nacin nacin@ replied:

"""
WordPress does not have session management on the server-side. Currently:
* Cookies are only valid as long as they were originally designed to
expire. They may be replayed until they timeout.
* They are hashed so they cannot be used after their original intended
expiration.
* In general one should be using the WordPress admin over SSL if leaking a
cookie is a concern: http://codex.wordpress.org/Administration_Over_SSL.

WordPress takes sensible precautions with these cookies:
* When running over SSL WordPress ensures to set secure flag on cookies
* It sets the HTTPOnly flag so that they are not accessible by javascript
* It invalidates the cookies in the browser.

We are looking into some potential changes to our authentication system to
allow for explicit session termination, but do not have a timeline at this
time.
"""

So this is not yet fixed in upstream. How should we proceed?

--
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#696868; Package wordpress. (Sun, 16 Feb 2014 07:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Craig Small <csmall@debian.org>:
Extra info received and forwarded to list. (Sun, 16 Feb 2014 07:12:04 GMT) (full text, mbox, link).

Message #42 received at 696868@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>
To: 696868@bugs.debian.org
Subject: Upstream reply to this bug
Date: Sun, 16 Feb 2014 18:01:04 +1100
I reported this bug in the wordpress forum and the reply from one of the
developers is at
http://wordpress.org/support/topic/old-bug-cve-2012-5868

 - Craig
-- 
Craig Small (@smallsees)   http://enc.com.au/       csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Added tag(s) upstream. Request was from Craig Small <csmall@debian.org> to control@bugs.debian.org. (Sun, 16 Feb 2014 07:12:11 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://core.trac.wordpress.org/ticket/20276'. Request was from Craig Small <csmall@debian.org> to control@bugs.debian.org. (Sun, 16 Feb 2014 07:12:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:01:39 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started