Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 6 Jan 2012 12:38:32 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com, kseifrie@...hat.com
Cc: moderators@...db.org
Subject: Re: CVE-request: WordPress SQL injection and
 arbitrary code injection (2003)

On Wed, Jan 04, 2012 at 02:27:58PM -0700, Kurt Seifried wrote:
> On 01/03/2012 02:41 PM, Henri Salo wrote:
> > These two WordPress security vulnerabilities from 2003 are still without CVE-identifiers. I am requesting CVE-identifiers as these issues have highly critical impact.
> >
> > 1) SQL injection
> > http://osvdb.org/show/osvdb/4610
> Please use CVE-2003-1598 for the WordPress    0.70
> ./wp-links/links.all.php SQL Injection
> 
> 
> >
> > 2) Arbitrary code injection
> > http://osvdb.org/show/osvdb/4611
> Please use CVE-2003-1599 for the WordPress    0.70 ./blog.header.php
> code injection
> >
> > Secunia advisory: http://secunia.com/advisories/8954/
> >
> > - Henri Salo
> http://www.kernelpanik.org/docs/kernelpanik/wordpressadv.txt
> 
> -- 
> 
> -- Kurt Seifried / Red Hat Security Response Team

Thank you for the identifiers. Descriptions are switched.

4610 CVE-2003-1598 is about blog.header.php posts variable SQL injection
4611 CVE-2003-1599 is about links.all.php abspath variable RFI

OSVDB already added these to the advisories, but that can be easily fixed. In future I can add files affected and correct parameters to these requests for clarity. Sorry for the confusion, but could you tell me which CVE should be used for which vulnerability?

- Henri Salo

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ