oss-sec mailing list archives
Re: Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability
From: Larry Cashdollar <larry0 () me com>
Date: Tue, 18 Nov 2014 14:17:09 -0500
On Nov 17, 2014, at 7:22 PM, Joshua Rogers <oss () internot info> wrote:On 18/11/14 10:30, Larry W. Cashdollar wrote: Turns out Matthew Bryant had already covered everything I had but a few months ago here: http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/On that blog..So we have to bruteforce these five hexadecimal digits – what’s the math on that? Since our keyspace is any hex character and we have a total of five digits we have 16^5 possibilities or 1,048,576 permutations.Using birthday problem maths.. 1048576! / ((1048576-1205)! * 1048576^1205) = 0.500538915 1-0.500538915= .499461085 aka. after 1,205 attempts, you'd have a 50% chance of hitting the correct location.. Just something to consider.
Plus I have a working PoC. I would imagine many sites using Wordpress database names that could be guessed.
-- -- Joshua Rogers <https://internot.info/>
Current thread:
- Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability Larry W. Cashdollar (Nov 17)
- Re: Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability Joshua Rogers (Nov 17)
- Re: Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability Larry Cashdollar (Nov 18)
- Re: Wordpress WP-DB-Backup v2.2.4 Plugin Remote Database Backup Download Vulnerability Joshua Rogers (Nov 17)