Sid from notsosecure.com informed us today of a low risk (yet interesting) vulnerability he has found in WordPress.

An attacker can read comments on posts that have not been moderated. This can be a real security risk if blog admins are using unmoderated comments (comments that have not been made public) to hide sensitive notes regarding posts, future work, passwords etc. So please be careful if you are one of these blog admins.

The following (example) cookie is set in the browser when a user submits a comment:

comment_author_4a8287188f05d2a891382f06d83a93c6=Test+User;
comment_author_email_4a8287188f05d2a891382f06d83a93c6=testuser%40test.com;
comment_author_url_4a8287188f05d2a891382f06d83a93c6=deleted;


The cookie seen above is not random, although this does look the case at first glance. The only information that changes between users submitting comments is the actual user data (i.e. Username, Email Address). This means attackers can view unmoderated comments when supplying a valid Author name and Email.

I feel WordPress can do alot more with regards to session security, and I hope they will take a hard look at this for future releases. WordPress stores alot of critical information in static cookies (i.e. password). This means if an attacker gets hold of the admin cookies, your blog will be vulnerable not for the duration of the cookie, but for the duration of your password, making replay attacks possible for a very lengthy or sometimes indefinite period.

Thanks again to sid for keeping us informed.