The Hypocrisy Weblog

Check out this job posting made by Jeff Bezos in 1994;

Well-capitalized start-up seeks extremely talented C/C++/Unix
developers to help pioneer commerce on the Internet.  You must have
experience designing and building large and complex (yet maintainable)
systems, and you should be able to do so in about one-third the time
that most competent people think possible.  You should have a BS, MS,
or PhD in Computer Science or the equivalent.  Top-notch communication
skills are essential.  Familiarity with web servers and HTML would be
helpful but is not necessary.

Expect talented, motivated, intense, and interesting co-workers.  Must
be willing to relocate to the Seattle area (we will help cover moving
costs).

Your compensation will include meaningful equity ownership.

Send resume and cover letter to Jeff Bezos:

mail:    be…@netcom.com
fax:     206/828-0951
US mail: Cadabra, Inc.
10704 N.E. 28th St.
Bellevue, WA  98004

We are an equal opportunity employer.

——————————————————————-
“It’s easier to invent the future than to predict it.”  — Alan Kay
——————————————————————-

[Link]

It is possible for a malicious site visitor to register a special username and gain administrative privileges on your Wordpress Blog. (Described below)

It is recommended to update now!

Wordpress 2.5 Cookie Integrity Protection Vulnerability

Original release date: 2008-04-25
Last revised: 2008-04-25
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
CVE ID: CVE-2008-1930
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>

Systems Affected:

Wordpress 2.5

Overview:

An attacker, who is able to register a specially crafted username on
a Wordpress 2.5 installation, is able to generate authentication
cookies for other chosen accounts.

This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.

If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.

The vulnerability is fixed in Wordpress 2.5.1

I. Description

Since version 2.5, Wordpress authenticates logged-in users through a
cryptographically protected cookie, based on papers by Fu et al [1]
and Liu et al [2]. This measure was introduced partly in response to
vulnerability CVE-2007-6013 [3,4].

The new cookies are of the form:

“wordpress_”.COOKIEHASH = USERNAME . “|” . EXPIRY_TIME . “|” . MAC

Where:

COOKIEHASH:  MD5 hash of the site URL (to maintain cookie uniqueness)
USERNAME:    The username for the authenticated user
EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
MAC:         HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived
from a secret and USERNAME . EXPIRY_TIME.

The flaw in this scheme is that USERNAME and EXPIRY_TIME are not
delimited in the MAC calculation. Hence the cookie may be modified,
without altering MAC, provided that the concatenation of USERNAME and
EXPIRY_TIME remains unchanged.

This class of vulnerability, the cryptographic splicing attack, was
commented on by Fu et al [1], but Wordpress does not employ their
recommended defence.

An attacker wishing to exploit this vulnerability would therefore
create an unprivileged account with its username starting with
“admin”. The cookie returned on logging into this account can then be
manipulated so as to be valid for the administrator account.

II. Impact

A remote attacker, who can create an account with specially crafted
username, is able to gain administrator level access to the Wordpress
installation. Through standard techniques, this can be escalated to
arbitrary PHP code execution as the web server system user.

III. Solution

Upgrade to Wordpress 2.5.1

Workarounds:

- De-select “Anyone can register” in the Membership section of
General Settings to disable account creation.

References:

[1] Dos and Don’ts of Client Authentication on the Web,
Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster
http://pdos.csail.mit.edu/papers/webauth:tr.pdf
[2] A Secure Cookie Protocol,
Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
[3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013
Steven J. Murdoch,
http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
[4] http://trac.wordpress.org/ticket/5367

Timeline:

2008-04-22: security@wordpress.com notified
Confirmation of receipt received
2008-04-25: Wordpress 2.5.1 released incorporating patch
Vulnerability notice published

Reference: [Link]

Parts of my day has been dedicated to creating backup routines and gathering enough space to mirror saved data and to download and later burn out the Ubuntu Hardy Heron disc-image.

The problem here is… The software distribution system that Canonical (the company behind Ubuntu) just doesn’t work very well in times of a new release. You see, Canonical have local mirrors – and that is all fine, but then when you want to access and download the actual iso-image or perhaps (like myself) get access to a torrent-file in order to actually save Canonical bandwidth, then they rely on local universities out there – universities that just don’t have the infrastructure to even serve the download requests coming in.

So, in the middle of the day I sit and try to get access to the .torrent-file in order to start my download and even help distribute Canonical’s software, but… I can’t!

Canonical need to decide to either switch their distribution model to rely mainly on distributed data models such as bittorrent, or to invest more in the physical infrastructure behind their software distribution to the end-user.

As it is now, it just does not work very well.

Enough complaints for one day, I am now in the process of installing Ubuntu 8.04 (“fresh upgrade”) on one of my laptops, as this machine is really in need of new and improved acpi drivers/settings etc.
(Yes, you guessed correctly – it is a Dell Inspiron that you can’t close the lid on and/or switch off or it freezes up.)

I will give impressions of Ubuntu Hardy Heron in an upcoming post after I have used the system a bit.

See you soon!

Before updating from Wordpress 2.3.3 to Wordpress 2.5 I did a backup within my control panel (Interworx), and after that I followed the instructions per the update page on Wordpress.org.

What did dawn on me was that I didn’t disable my plugins before I went a head and updated the software, however this sweat was only momentarily as it the process went without any issues even so.

In any case, don’t hesitate to take the plunge – it is one great piece of kit this Wordpress. Except for the improved internal cache-handling, the backend is a real treat; fast and easy to use. The auto-update of your installed plugins is another nifty feature.