Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 18 Nov 2014 14:17:09 -0500
From: Larry Cashdollar <larry0@...com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Wordpress WP-DB-Backup v2.2.4 Plugin Remote
 Database Backup Download Vulnerability


> On Nov 17, 2014, at 7:22 PM, Joshua Rogers <oss@...ernot.info> wrote:
> 
>> On 18/11/14 10:30, Larry W. Cashdollar wrote:
>> Turns out Matthew Bryant had already covered everything I had but a few months ago here:
>> 
>> http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/
> On that blog..
>> So we have to bruteforce these five hexadecimal digits – what’s the
>> math on that? Since our keyspace is any hex character and we have a
>> total of five digits we have 16^5 possibilities or 1,048,576
>> permutations.
> Using birthday problem maths..
> 1048576! / ((1048576-1205)! * 1048576^1205) =
> 0.500538915
> 
> 1-0.500538915=
> .499461085
> 
> aka. after 1,205 attempts, you'd have a 50% chance of hitting the
> correct location..
> 
> Just something to consider.
> 
Plus I have a working PoC.  I would imagine many sites using Wordpress database names that could be guessed.


> -- 
> -- Joshua Rogers <https://internot.info/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.