2718.us blog » security

A Variety of Issues with Pseudo-Random Numbers in PHP

2718.us — Mon, 01 Sep 2008 01:10:22 +0000

It appears that there are now demonstrated exploits of PHP apps that use mt_rand() and/or rand() as a result of issues of seeding in one application affecting the PRNG stream in another application that used the PRNG to generate passwords or similar such things. From mt_srand and not so random numbers:

… it is strongly recommended for the PHP developers to add more secure random number functions to the PHP core and it is strongly recommended for PHP application developers to keep their fingers away from srand() or mt_srand() and to never ever use rand() or mt_rand() for cryptographic secrets.

It sounds like the PRNGs in PHP, mt_rand() and rand(), shouldn’t be used for anything security-related, and perhaps /dev/random or /dev/srandom or some such should be used instead (though this is much more system-dependent).

Authenticating with WordPress 2.6 (part 3)

2718.us — Sun, 03 Aug 2008 23:55:48 +0000

So, as a followup to parts 1 and 2, per WordPress Trac ticket #7001, WordPress 2.6 has split up the login cookies into three parts:

what was the one and only login cookie in 2.5 is now limited to /wp-admin
there’s a copy of that one that’s just limited to /wp-content/plugins, for backward compatibility with plugins
there’s a new cookie that is at COOKIEPATH (which can be defined in your config file), that is checked by calling
```
is_user_logged_in()
```
(but perhaps this isn’t intended for secure authorization?)

So, it appears the way to go may be to change

auth_redirect()

if (!is_user_logged_in()) auth_redirect();

Maybe more to follow on this when I’ve more thoroughly explored it.

Authenticating with WordPress 2.6 (part 2)

2718.us — Wed, 30 Jul 2008 04:32:54 +0000

Having stated the problem and now played further, I’ve got good news and bad news.

The good news is that there’s an action hook, ‘set_auth_cookie’, that gets called whenever the cookies are set, so if the stuff for which you want to authenticate is on the same server but at a different path, you can create a plugin (or maybe use functions.php in your theme?) with something like the following:

function your_unique_name_here_set_auth_cookie($auth_cookie, $expire, $expiration, $user_id, $scheme) {
setcookie(AUTH_COOKIE, $auth_cookie, $expire, '/path/to/your/stuff', COOKIE_DOMAIN);
}
add_action('set_auth_cookie','your_unique_name_here_set_auth_cookie',10,5);

The bad news is that if your WordPress install is at example.com/something and you want to use it to authenticate at portal.example.com, you can’t set a cookie for portal.example.com from a script on example.com, so your only choice would be to set a cookie with path / on .example.com (note the leading period), which completely breaks the security added by the separate cookies.

Hopefully, there’ll be a “part 3″ to this wherein I solve this last problem somehow, since that’s the setup I’m dealing with.

Authenticating with WordPress 2.6 (part 1)

2718.us — Wed, 30 Jul 2008 03:03:51 +0000

I’ve been hoping for the last hour or two that there’d be just one post on this topic, giving the problem and solution all together, but I have yet to solve it and so I’m just going to post the issue for now, until I have a solution.

As a security measure in WP2.6, login cookies are now split into what seem to be at least three different cookies—two with paths like /wp-admin and /wp-content/plugins that are the full cookie that auth_redirect() checks against and one that’s different, with path / [paths relative to the blog root]. Near as I can tell, this immediately breaks any attempt to use auth_redirect() for authentication (e.g. this and this) outside the /wp-admin and /wp-content/plugins directories. It is also not immediately clear to me how to authenticate against the whole-site cookie, if there’s any way to do that at all.

A temporary, but very bad fix would be to completely defeat the security by defining ADMIN_COOKIE_PATH to be the site root, rather than the path to /wp-admin. I’m thinking that, from a quick skim of pluggable.php, there might be plugin action hooks to allow setting other cookies that would allow authentication on other paths…

Since I already Mentioned OpenBSD for Routers…

2718.us — Sun, 18 May 2008 16:12:48 +0000

I subscribe to a few security-alert email lists, most of which I skim and delete (since I already know that there are new fixes for multiple vulnerabilities in MS Windows and/or Office without being told and since I don’t care about issues with multi-thousand-dollar Oracle/Cisco/Sun products). It’s rare that an alert really catches my eye the way the Debian/OpenSSL thing did. I think the key thing to point out is that it seems that somewhere along the way someone in the Debian realm broke OpenSSL–that’s why this is a Debian-specific issue. I’d also like to point out that this is why I use OpenBSD for high-security machines (i.e. router/firewall machines): careful, detailed security auditing.

The SECRET_KEY in WordPress

2718.us — Thu, 24 Apr 2008 22:20:59 +0000

I’ve gotten into the habit of actually reading the various blogs to which there are links on my WordPress dashboard and I saw this today from boren.nu:

To make cookies secure against attacks where someone has managed to get into your database through an SQL injection exploit or other means, WordPress 2.5 introduced a user-definable constant called SECRET_KEY. If you look at the sample wp-config.php shipped with 2.5, you’ll see these lines.

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords
.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase

If you upgraded from a previous version of WordPress you probably won’t have these lines in your wp-config.php.

That last bit is, of course, the critical thing for me and had me going back and inserting SECRET_KEYs into all my older/upgraded WordPress installs. Just remember that if you’re integrating with bbPress, you have to match the SECRET_KEYs in wp-config.php and bb-config.php.

Matt (yes, that Matt) on WordPress Security

2718.us — Mon, 14 Apr 2008 17:28:56 +0000

Even though the post title and first paragraph are about calling out a sound-and-fury-signifying-nothing alert, most of his post is good stuff on WordPress, with lots of links.

… there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google.