Security researcher Krzysztof Katowicz-Kowalewski has identified a denial-of-service vulnerability affecting the latest version of WordPress. The vulnerability has been confirmed in WordPress 3.5.1, but other variants might also be impacted by the security hole.
According to Secunia, the issue is catalogued as being “moderately critical.”
“The vulnerability is caused due to an error when calculating the hash cycle count within the "crypt_private()" method in /wp-includes/class-phpass.php and can be exploited to exhaust CPU and memory resources by sending HTTP requests with a specially crafted password cookie,” reads Secunia’s advisory.
“Successful exploitation requires the knowledge of the URL for a password-protected post,” the advisory continues.
Katowicz-Kowalewski says he has informed the WordPress security team about the vulnerability, but since he hasn’t received any response from them, he has decided to make his research public.
Until the issue is permanently addressed, the expert advises users to apply a patch he has developed.
Katowicz-Kowalewski highlights the fact that the buggy code is not written by WordPress developers. Instead, it lies in the "Portable PHP password hashing framework" created by Solar Designer.
However, the expert believes this still concerns WordPress.
“Even though it is external library, it is obvious that the security problem relates the WordPress software too. Moreover, the library may or may not be prepared for application specified behavior and developers need to pay attention to problems that may arise when implementing support for some external code,” he wrote on his blog.
“That is, in my honestly opinion, the problem in this case is related only to WordPress and its implementation of authorization system. The user should not be able to pass arbitrary string to crypt_private function - the data passed to library need to be sanitized and/or the code of crypt_private need to be modified in order to fulfill application requirements.”