Full Disclosure mailing list archives
Re: Vulnerabilities in WordPress
From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 11 Apr 2010 21:04:51 +0300
Hello Julian! Thanks for your attention to my advisories which I posted to Full-Disclosure. It's looks like you lay them to heart too much :-). But because your other two letters were too lame and you demonstrated not serious behavior, I have put your e-mail into blacklist. I did it just after receiving your three letters. So don't waste your time writing me anymore. I hope this will help you to use your time for good purposes. If you don't like any of my advisories to Full-Disclosure mailing list, then just ignore it. My advisories are designed for those who is interested in them. So use your time wisely, as I mentioned to the list before, when I banned previous not serious one. This suggestion concerns every reader of all security mailing lists.
Wow, this sound serious...
Yes, because it's serious. As Brute Force vulnerability in function of protecting pages/posts by a password, as Brute Force vulnerability at login page. And taking into account all user enumeration vulnerabilities in WordPress found by me and other security researches, and taking into account Weak Password vulnerability in WordPress (http://websecurity.com.ua/2044/), which I disclosed in 2008, the last hole becomes even more serious. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: julian steward To: MustLive ; full-disclosure () lists grok org uk Sent: Monday, March 22, 2010 2:13 AM Subject: Re: [Full-disclosure] Vulnerabilities in WordPress Wow, this sound serious... On Sat, Mar 20, 2010 at 8:58 AM, MustLive <mustlive () websecurity com ua> wrote: Hello Full-Disclosure! I want to warn you about vulnerabilities in WordPress. ----------------------------- Advisory: Vulnerabilities in WordPress ----------------------------- URL: http://websecurity.com.ua/4016/ ----------------------------- Timeline: 02.03.2010 - found the vulnerabilities. 02.03.2010 - didn't informed developers. After I informed WP developers about multiple vulnerabilities in WordPress in December 2007 and they ignored them - some didn't fix and some hiddenly fixed, without thanking me and referencing me (they even didn't mention about those fixed holes in release notes on official site) - starting from 2008 I never more inform them about vulnerabilities in WordPress. These holes were posted to Bugtraq (http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded). 09.03.2010 - disclosed at my site. ----------------------------- Details: These are Brute Force and Insufficient Authorization vulnerabilities. Earlier in 2008 I already wrote about Brute Force vulnerability in WordPress (http://websecurity.com.ua/2007/), which was found by Kad already in 2007 (http://securityvulns.ru/Pdocument580.html). And as I found at 02.03.2010 in WordPress 2.9.2 this vulnerability still wasn't fixed. And also I found new vulnerabilities in WP. Brute Force: There is no protection from picking up of a password (from Brute Force attacks) in function of protecting pages/posts by a password. Insufficient Authorization: At every page/post in WP it's possible to set a password and these passwords can be equal. But function of accessing by a password writes global cookie, which works for the whole site. And so, after setting the password one time for one page/post, it's possible to see all protected pages/posts (with the same password, even without knowing that the password matches), because at a request to them the access will be granted automatically. Vulnerable are WordPress 2.9.2 and previous versions (all 2.x versions). I tested in different versions of WP, particularly in 2.0.11 and 2.9.2. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Vulnerabilities in WordPress MustLive (Apr 12)