WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#6413 closed enhancement (wontfix)

Add custom prefix to cookie-names

Reported by: webrocker Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Only recently a new kind of exploit/attack started on wordpress blogs, during which a directory is created inside "wp-contents" whith several html and javascript files. see
http://cyberinsecure.com/wordpress-doorway-spam-attacks/
http://blogsecurity.net/wordpress/automated-wordpress-hacking-tool-cached-by-google/
http://www.village-idiot.org/archives/2008/03/18/wordpress-spam-inject-honeypot/
http://wordpress.org/support/topic/161723
One of the proposed ways to keep the attack out is to rename the cookies' names, because the attack relies on the default cookie-names.
So I think maybe it would be a good idea to use the prefix-option from the wp-config file and add that to the cookie name, and maybe to the default admin-user's name as well?

Change History (4)

comment:1 DD326 years ago

Renaming the cookies is pointless IMO, The exploit will simply change to grab cookies which are using any prefix, not just the wordpress prefixed cookies.

If they can create files, theres many places they could simply plonk a .php file and have WP auto-include it inside the wp-content folder.

I'm not too sure, but i'm pretty sure with the changes made in the authtication, that WP 2.5 may not be as affected by that form of attack.

comment:2 follow-up: westi6 years ago

  • Severity changed from major to normal

Giving away the db prefix in the cookie name sounds like bad security fu to me.

You would be giving a hacker extra information about your blog.

The cookie names are already based on the site url - we could maybe change this from a straight md5 of the site url to something less deterministic.

We do already allow you to define your own cookie names in wp-config.php if you want:
http://trac.wordpress.org/browser/trunk/wp-settings.php#L269

comment:3 in reply to: ↑ 2 Webrocker6 years ago

Replying to westi:

Giving away the db prefix in the cookie name sounds like bad security fu to me.

You would be giving a hacker extra information about your blog.

hi, thanks for the fast response.

yes, giving away the prefix that's used for the db-tables is indeed a bad idea, and adding another prefix-option in wp-config for the cookies will most likely result in users choosing the same prefix for both.

I'm not sure how the exploit works, but DD32's comments make sense to me.

thanks again

comment:4 ryan6 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

2.5 has a brand new cookie system that makes it very easy to mass invalidate cookies and also prevents attackers who have gained access to the DB from creating cookies with that information. see #5367

Note: See TracTickets for help on using tickets.