WordPoints / wordpoints / 415
54%
master: 53%

LAST BUILD BRANCH: 1.10.4
DEFAULT BRANCH: master
Ran
Jobs 1
Files 0
Run time
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
415

push

travis-ci

JDGrimes 
SECURITY: Don't use MD5 to generate nonce

During the breaking updates (e.g., from 1.x to 2.x) we perform a
compatibility check for each of the modules. This check performs an
Ajax request to the site. The callback for this Ajax request calls the
function that displays the modules administration screen. If the screen
is not completely displayed, this indicates that an error of some kind
has occurred. In that case the module is incompatible with the new
version of WordPoints, and so is deactivated.

When the check for a module is performed, a hash value is saved to the
database. This hash is also included as one of the parameters in the
Ajax request. The Ajax callback then checks that the value in the
request matches the one in the database. If it doesn’t, the check is
aborted and there is no attempt to display the modules screen.

Because the MD5 hashing algorithm is not cryptographically secure, it
is unwise to use it here. I am replacing the use of `md5()` with
`wordpoints_hash()`, which uses the SHA256 hashing algorithm.

Exploitation is impossible for all practical purposes. The main reason
for this change is to keep from setting a bad example and to make
security reviews easier.

The time window for exploitation is only a few seconds long. It occurs
only when a breaking update is being performed, which is rare. Because
the hash is unique to each module, and is deleted after the check is
finished, the attacker has only a few moments to attempt to guess the
MD5 hash.

Again, exploitation isn’t really possible. But if an attacker were to
correctly guess the hash, the result would be information disclosure.
He would be able to view the modules administration screen, and
therefore would have a list of all modules installed on the site, and
would know which ones were active.

As a further hardening step, and one which is possibly less
insignificant, the hash is now compared with `hash_equals()` to avoid
timing attacks.
Jobs
ID Job ID Ran Files Coverage
12 415.12 (TRAVISCI_RUN=phpunit WP_VERSION=master) 0
Travis Job 415.12
Source Files on build 415
Detailed source file information is not available for this build.