Details ================ Software: OAuth2 Complete For WordPress Version: 3.1.3 Homepage: http://ift.tt/1deB0fP Advisory report: http://ift.tt/1JdcUnH CVE: Awaiting assignment CVSS: 10 (High; AV:N/AC:L/Au:N/C:C/I:C/A:C) Description ================ The OAuth2 Complete plugin for WordPress uses a pseudorandom number generator which is non-cryptographically secure Vulnerability ================ The following refer to the generateAccessToken() function in library/OAuth2/ResponseType/AccessToken.php, and the generateAuthorizationCode() function in library/OAuth2/ResponseType/AuthorizationCode.php. These functions attempt to generate secure auth tokens, but do not use the WordPress random number generator. Instead they use a series of fallback calculations depending on which PHP version is being used. Some of these calculations are not crypographically secure: The first is mcrypt_create_iv(100, MCRYPT_DEV_URANDOM). MCRYPT_DEV_URANDOM is expected to change to a different random value whenever it is called, but on Windows, on older versions of php it is known to be a constant value if no other functions (e.g. /dev/urandom) are available then the access token is generated solely using mt_rand(), microtime(), and uniqid(). mt_rand() (Mersenne twister) is not a cryptographically secure pseudorandom number generator. According to the documentation mt_rand() is also biassed towards even return values in some circumstances. According to the documentation uniqid() is as secure a PRNG as microtime(). Proof of concept ================ See the documentation: http://ift.tt/1IHnLTn http://ift.tt/1ntsSyj Mitigations ================ Upgrade to version 3.1.5 or later. If this is not possible then ensure that you are using a recent version of php (at least 5.3), or disable the plugin. Disclosure policy ================ dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: http://ift.tt/1B6NWzd Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline ================ 2014-04-16: Discovered 2015-07-21: Reported to vendor by email 2015-07-21: Requested CVE 2015-08-10: Vendor responded 2015-08-11: Vendor confirmed fixed in version 3.1.5 2015-08-12: Published Discovered by dxw: ================ Tom Adams Please visit security.dxw.com for more information.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment