Re: Vulnerabilities in WordPress

["MustLive" <mustlive () websecurity com ua>]

Hello Julian!

Thanks for your attention to my advisories which I posted to
Full-Disclosure. It's looks like you lay them to heart too much :-).

But because your other two letters were too lame and you demonstrated not
serious behavior, I have put your e-mail into blacklist. I did it just after
receiving your three letters. So don't waste your time writing me anymore.

I hope this will help you to use your time for good purposes. If you don't
like any of my advisories to Full-Disclosure mailing list, then just ignore
it. My advisories are designed for those who is interested in them.

So use your time wisely, as I mentioned to the list before, when I banned
previous not serious one. This suggestion concerns every reader of all
security mailing lists.

> Wow, this sound serious...

Yes, because it's serious. As Brute Force vulnerability in function of
protecting pages/posts by a password, as Brute Force vulnerability at login
page. And taking into account all user enumeration vulnerabilities in
WordPress found by me and other security researches, and taking into account
Weak Password vulnerability in WordPress (http://websecurity.com.ua/2044/),
which I disclosed in 2008, the last hole becomes even more serious.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: julian steward
To: MustLive ; full-disclosure () lists grok org uk
Sent: Monday, March 22, 2010 2:13 AM
Subject: Re: [Full-disclosure] Vulnerabilities in WordPress


Wow, this sound serious...


On Sat, Mar 20, 2010 at 8:58 AM, MustLive <mustlive () websecurity com ua>
wrote:

Hello Full-Disclosure!

I want to warn you about vulnerabilities in WordPress.

-----------------------------
Advisory: Vulnerabilities in WordPress
-----------------------------
URL: http://websecurity.com.ua/4016/
-----------------------------
Timeline:

02.03.2010 - found the vulnerabilities.
02.03.2010 - didn't informed developers. After I informed WP developers
about multiple vulnerabilities in WordPress in December 2007 and they
ignored them - some didn't fix and some hiddenly fixed, without thanking me
and referencing me (they even didn't mention about those fixed holes in
release notes on official site) - starting from 2008 I never more inform
them about vulnerabilities in WordPress. These holes were posted to Bugtraq
(http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded).
09.03.2010 - disclosed at my site.
-----------------------------
Details:

These are Brute Force and Insufficient Authorization vulnerabilities.

Earlier in 2008 I already wrote about Brute Force vulnerability in WordPress
(http://websecurity.com.ua/2007/), which was found by Kad already in 2007
(http://securityvulns.ru/Pdocument580.html). And as I found at 02.03.2010 in
WordPress 2.9.2 this vulnerability still wasn't fixed. And also I found new
vulnerabilities in WP.

Brute Force:

There is no protection from picking up of a password (from Brute Force
attacks) in function of protecting pages/posts by a password.

Insufficient Authorization:

At every page/post in WP it's possible to set a password and these passwords
can be equal. But function of accessing by a password writes global cookie,
which works for the whole site. And so, after setting the password one time
for one page/post, it's possible to see all protected pages/posts (with the
same password, even without knowing that the password matches), because at a
request to them the access will be granted automatically.

Vulnerable are WordPress 2.9.2 and previous versions (all 2.x versions). I
tested in different versions of WP, particularly in 2.0.11 and 2.9.2.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/