Re: Vulnerabilities hiddenly fixed in WordPress 3.5 and 3.5.1

[Julius Kivimäki <julius.kivimaki () gmail com>]

Pretty sure this is like the 50th time this year you send an email
regarding a vulnerability without actually specifying the vulnerability,
are you sure your client isn't cutting out parts of your messages?


2013/12/8 MustLive <mustlive () websecurity com ua>

> Hello list!
>
> Earlier I wrote about one vulnerability in WordPress, which were hiddenly
> fixed in version 3.5.2 (http://seclists.org/fulldisclosure/2013/Jul/70)
> and about nine vulnerabilities in versions 3.6 and 3.6.1 (
> http://seclists.org/fulldisclosure/2013/Nov/220). Here are new ones.
>
> These are hiddenly fixed vulnerabilities in such versions of WordPress as
> 3.5 and 3.5.1. Developers of WP intentionally haven't wrote about them to
> decrease official number of fixed holes. Which is typical for them - since
> 2007 they often hide fixed vulnerabilities.
>
> As I wrote in July (http://websecurity.com.ua/6634/), there are multiple
> vulnerabilities in Akismet plugin, which bundles with core of WordPress, so
> all holes in this plugin directly related to WP. But developers typically
> fix holes in Akismet without mentioning about them among fixed in WP (in
> official announcement), they even didn't mentioned in announcement or Codex
> about updating version of the plugin. At that they wrote about fixed holes
> in plugin's changelog, but didn't write about fixed holes, which I informed
> in 2012 (and didn't fix all the holes). So these vulnerabilities were
> hiddenly fixed in WP 3.5 and 3.5.1, only mentioned in the changelog (
> http://wordpress.org/plugins/akismet/changelog/).
>
> WordPress 3.5.1:
>
> In this version of WP the Akismet was updated from 2.5.6 to 2.5.7. In it
> there were fixed few Full path disclosure vulnerabilities and added
> .htaccess to block direct access to plugin's files (which can be used for
> protecting against FPD, XSS and Redirector vulnerabilities disclosed by me
> in 2012).
>
> Vulnerable are WordPress 3.5 and previous versions.
>
> WordPress 3.5.2:
>
> In this version of WP the Akismet was updated from 2.5.7 to 2.5.8. In it
> there are security improvements (they didn't specify the details).
>
> Vulnerable are WordPress 3.5.1 and previous versions.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/