Full Disclosure mailing list archives
Re: Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1
From: Julius Kivimäki <julius.kivimaki () gmail com>
Date: Mon, 9 Dec 2013 01:30:21 +0200
Pretty sure this is like the 50th time this year you send an email regarding a vulnerability without actually specifying the vulnerability, are you sure your client isn't cutting out parts of your messages? 2013/12/8 MustLive <mustlive () websecurity com ua>
Hello list! Earlier I wrote about one vulnerability in WordPress, which were hiddenly fixed in version 3.5.2 (http://seclists.org/fulldisclosure/2013/Jul/70) and about nine vulnerabilities in versions 3.6 and 3.6.1 ( http://seclists.org/fulldisclosure/2013/Nov/220). Here are new ones. These are hiddenly fixed vulnerabilities in such versions of WordPress as 3.5 and 3.5.1. Developers of WP intentionally haven't wrote about them to decrease official number of fixed holes. Which is typical for them - since 2007 they often hide fixed vulnerabilities. As I wrote in July (http://websecurity.com.ua/6634/), there are multiple vulnerabilities in Akismet plugin, which bundles with core of WordPress, so all holes in this plugin directly related to WP. But developers typically fix holes in Akismet without mentioning about them among fixed in WP (in official announcement), they even didn't mentioned in announcement or Codex about updating version of the plugin. At that they wrote about fixed holes in plugin's changelog, but didn't write about fixed holes, which I informed in 2012 (and didn't fix all the holes). So these vulnerabilities were hiddenly fixed in WP 3.5 and 3.5.1, only mentioned in the changelog ( http://wordpress.org/plugins/akismet/changelog/). WordPress 3.5.1: In this version of WP the Akismet was updated from 2.5.6 to 2.5.7. In it there were fixed few Full path disclosure vulnerabilities and added .htaccess to block direct access to plugin's files (which can be used for protecting against FPD, XSS and Redirector vulnerabilities disclosed by me in 2012). Vulnerable are WordPress 3.5 and previous versions. WordPress 3.5.2: In this version of WP the Akismet was updated from 2.5.7 to 2.5.8. In it there are security improvements (they didn't specify the details). Vulnerable are WordPress 3.5.1 and previous versions. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1 MustLive (Dec 08)
- Re: Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1 Julius Kivimäki (Dec 09)
- Re: Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1 MustLive (Dec 22)
- Re: Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1 Valdis . Kletnieks (Dec 24)
- Re: Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1 MustLive (Dec 22)
- Re: Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1 Julius Kivimäki (Dec 09)