oss-sec mailing list archives
Re: CVE request: wordpress can be subject of delayed attacks via cookies
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 20 Nov 2008 21:14:15 -0500 (EST)
====================================================== Name: CVE-2008-5113 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113 Reference: MLIST:[oss-security] 20081113 CVE request: wordpress can be subject of delayed attacks via cookies Reference: URL:http://openwall.com/lists/oss-security/2008/11/14/1 Reference: CONFIRM:http://bugs.debian.org/504771 WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection.
Current thread:
- CVE request: wordpress can be subject of delayed attacks via cookies Raphael Geissert (Nov 13)
- Re: CVE request: wordpress can be subject of delayed attacks via cookies Steven M. Christey (Nov 20)