All versions of WordPress fail to implement a cryptographically secure pseudorandom number generator.
170595a1bbe7e09d77645ac1e3ed66ad3b2cd04dd4cb157b616751c9edc794df
Ticket opened: 2014-06-25
Affected Versions: ALL
Problem: No CSPRNG
Patch available, collecting dust because of negligent (and questionably
competent) WP maintainers
On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a
cryptographically secure pseudorandom number generator, since none was
present (although it looks like others have tried to hack together a
band-aid solution to mitigate php_mt_seed until WordPress gets their "let's
support PHP < 5.3" heads out of their asses).
For the past 8 months, I have tried repeatedly to raise awareness of this
bug, even going as far as to attend WordCamp Orlando to troll^H advocate
for its examination in person. And they blew me off every time.
If anyone with RNG breaking experience (cough solar designer cough) can PoC
it, without the patch I've provided you should be able to trivially predict
the password reset token for admin users and take over any WordPress site
completely.
Eight fucking months.
Patch available with unit tests and PHP 5.2 on Windows support at
https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch
Scott
https://scott.arciszewski.me
@voodooKobra