WordPress 2.5 Secret_Key Vulnerability

Posted by DK
April 16, 2008

José Carlos Nieto Jarquín has found a vulnerability affecting WordPress 2.5 ONLY. His advisory was released on SecurityFocus yesterday.

Our recent "Secure WordPress Whitepaper Revision" shows the new WordPress SECRET_KEY variable in the ‘wp-config.php’ file. This SECRET_KEY must be set to something random, as specified in the WordPress documentation. If not, it may be possible for an attacker to brute force the default WordPress SALT generation process to gain access to your blog.

The vulnerability has been reported as a Medium risk as it only affects WordPress installations matching a certain criteria. See advisory for more details.

A proof of concept exploit is publicly available. Please ensure that you set your SECRET_KEY in your ‘wp-config.php’ file to something random.

From wp-config.php: 

Change SECRET_KEY to a unique phrase.  You won't have to remember
it later, so make it long and complicated.  You can visit
https://www.grc.com/passwords.htm to get a phrase generated for you,
or just make something up.
define('SECRET_KEY', 'put your unique phrase here');
Advisories, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Trackback by WPcino on April 16, 2008 @ 11:27 am

WP 2.5 Sicherheitslücke…

WordPress 2.5 verwendet in der neuen config.php (im WordPress Stammverzeichnis) einen Schlüssel, der individuell geändert werden sollte, um mögliche Brute Force-Attacken auf diesen wahrscheinlich vielfach vorhandenen Key zu vermeiden. Dazu muß eine…

Pingback by   Primer fallo de seguridad REAL en WordPress 2.5 en Agamum.net on April 16, 2008 @ 2:19 pm

[...] Este fallo ha sido anunciado en securityfocus con los detalles suficientes para poder comprobar que la amenaza es real, además de contrastado por Blogsecurity.net. [...]

Pingback by Blogmaster - WordPress 2.5, ecco la prima falla di sicurezza on April 16, 2008 @ 3:55 pm

[...] Il problema riguarda solo la versione 2.5 ed è stato scoperto dal blogger messicano José Carlos Anieto; la falla è stata annunciata anche su SecurityFocus con tutti i dettagli e su BlogSecurity. [...]

Comment by Malte Landwehr on April 16, 2008 @ 5:41 pm

Why don’t the generate a random key during the installation / upgrade process?

Comment by Tim on April 17, 2008 @ 5:03 pm

I had exactly the same thoughts as Malte above. Generate a long random salt value during installation or upgrade. There is no need for the user to be able to change this value.

Pingback by WordPress Weekly News, 15-2008: security and much more on April 17, 2008 @ 6:51 pm

[...] announced a security vulnerability about WordPress 2.5, posted on SecurityFocus, read the article: WordPress 2.5 Secret_Key Vulnerability. This security pitfall only involves a few WordPress configurations, but if you’re in those [...]

Pingback by Ultime dal fronte WordPress 16-2008: Sicurezza ed altro on April 17, 2008 @ 6:51 pm

[...] vulnerabilità di WordPress 2.5, scoperta e riportata su SecurityFocus, leggete l’articolo WordPress 2.5 Secret_Key Vulnerability. Questa falla riguarda solo alcune installazioni di WordPress per motivi che vengono spiegati [...]

Pingback by La clé secrète (Secret Key, clé privée) de Wordpress 2.5 at Site Creation on April 18, 2008 @ 6:20 pm

[...] WordPress 2.5 Secret_Key Vulnerability [...]

Comment by Johnboy on April 20, 2008 @ 11:39 pm

heh heh Another one?

Comment by Ken Nickless on April 25, 2008 @ 6:06 am

Thanks for the update.I’ll change my three version 2.5 wordpress blogs straight away.

Pingback by WordPress 2.5.1 is Available | PinoyTux Weblog on April 25, 2008 @ 10:23 pm

[...] has also a link for the Secret Key vulnerability in WordPress 2.5 which gives you a random string for your SECRET_KEY entry in [...]

Comment by Imran Khalid on April 26, 2008 @ 1:58 pm

You shared a very good and important security issue with us…. Very Thanks to you :)

Pingback by BlogSecurity » Blog Archive » Wordpress 2.5 Cookie Integrity Protection Vulnerability on April 27, 2008 @ 8:13 pm

[...] note this vulnerability is different to http://blogsecurity.net/wordpress/wordpress-25-secret_key-vulnerability/     Enjoy the article? Please take a second to: Digg it! | StumbleUpon it! [...]

Pingback by Vulnerabilidad de Integridad de Cookies en WordPress 2.5 | Ayuda WordPress on April 27, 2008 @ 11:46 pm

[...] Gracias | Blogsecurity [...]

Trackback by rolfs.no: Experiencing weblogging on April 29, 2008 @ 9:14 pm

WP 2.5.1: Secure Cookies in Wordpress with SECRET_KEY parameter in config settings…

José Carlos Nieto Jarquín reported a vulnerability WP 2.5:
He published an advisory on SecurityFocus on 15 Apr 2008 regarding insecurity regarding the default SECRET_KEY configuration value. You could gain access to any account if you know the defaul…

Pingback by Upgrade wordpress and define the secret key | I'm Knight on May 4, 2008 @ 3:31 pm

[...] you can’t just simply add anything , BlogSecurity remind you that it need to something totally random. What you can do is make use of secret key generator by the wordpress team, it will generate a [...]

Leave a comment

(required)

(required)