frank liked 3 videos.
frank shared Dude, where’s my WordPress session?.
frank liked 2 videos.
frank shared Sharing Your Experiences: How To Contribute To WordPress.
frank shared Music from Our Tube; Harper Blynn.
WordPress is a favourite hackers target. Some say that is because it is inherently insecure, but in reality WordPress is mainly a target because of its popularity, because of people not keeping their installations up to date or using easy to guess usernames and passwords and because of vulnerabilities in plugins rather then WordPress itself.
There is, however, one security-related shortcoming in WordPress from a design point of view: sessions are not stored server-side. If someone logs in, a cookie is set in the browser containing username, a session expiration timestamp and a hash. With every new request to WordPress that cookie (and specifically the hash) is checked to validate the session, but there is no check to see if there indeed was such a session.
This can be considered mainly a theoretical shortcoming, not an immediately exploitable vulnerability, because;
- session-cookies are set with the HTTPOnly-flag so XSS should not be an issue
- in an ideal world all traffic, once logged in, would be over HTTPS, securing against network sniffing.
But there are other (albeit less obvious) ways to steal cookies or even create create new ones to gain unauthorized access, as demonstrated in this very detailed blogpost. As explained in that article, there is no way to block “fake” session-cookies from gaining access (your OTP plugin won’t protect you either) and there is no functionality to monitor and if needed delete sessions.
So … I wrote a small proof-of-concept plugin that gets triggered upon login, logout and upon session verification (i.e. each request) and which stores sessions server-side, automatically logging out unknown sessions. With that in place, lots of other optional features could easily be added;
- display a list of all known current sessions
- allow one or more sessions to be removed
- compare IP address at session verification against the one at session creation and notify or logout if no match
- compare User Agent (and optionally some HTTP accept-headers) at session verification against the one at session creation and notify or logout if no match
- create an audit log
But … I don’t want to do this on my own. I have 3 plugins already, 2 of which are semi-popular and for which I try to do regular releases and provide great support (and I have a daytime-job and a wife and daughter with whom I love to spend quality time as well). Moreover I really don’t want the plugin to “just” be open source, but I want it to be developed in an open source, collaborative manner as well.
So if you’re a WordPress coder, a security consultant or just an innocent passer-by and you are willing to code, review code, translate or document, then do drop me a line. Fame (but not fortune) will be yours!
frank liked HARPER BLYNN- KNIFE.
frank shared Ceremonies het monopolie van de (Katholieke) Kerk?.
frank shared Firefox for Android Hits 4.5 Stars.
frank shared Music from Our Tube; Seelenluft.
frank liked 2 videos.
Friday-evening, time to pretend you’re a young hipster! And this might help; a great (old, as in over 10 years old) track called “Manila” by Seelenluft in the Manitoba remix, as it was featured in Four Tet’s magnificent “Essential Mix” from way back in 2010;
The vocals are by the Michael Smith, who apparently was only 12 years old when recording “Manila”. There’s multiple remixes of it (and the official clip for the Ewan Pearson remix is pretty funny), but none are as wild as this one. Love those crazy horns, they remind me of (the more recent) Neneh Cherry & The Thing with their freaky cover of Springsteen’s “Dream Baby Dream” (which Four Tet remixed as well).