Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 26 Jan 2012 03:24:45 +0200
From: Henri Salo <henri@...v.fi>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: TWSL2012-002: Multiple Vulnerabilities in
 WordPress

On Wed, Jan 25, 2012 at 05:02:58PM -0700, Kurt Seifried wrote:
> On 01/25/2012 08:31 AM, Henri Salo wrote:
> > FYI: http://seclists.org/fulldisclosure/2012/Jan/416
> > 
> > - Henri
> 
> Uh correct me if I am wrong but these already have CVE's? From the link:
> 
> Finding 1: PHP Code Execution and Persistent Cross Site Scripting
> Vulnerabilities via 'setup-config.php' page.
> CVE: CVE-2011-4899
> 
> Finding 2: Multiple Cross Site Scripting Vulnerabilities in
> 'setup-config.php' page
> CVE: CVE-2012-0782
> 
> Finding 3: MySQL Server Username/Password Disclosure Vulnerability via
> 'setup-config.php' page
> CVE: CVE-2011-4898

Yes you are correct. My point was to share this information with oss-security and the information being that WordPress is not going to fix these issues. Not everyone from oss-security is reading full-disclosure and still want to kno security-related topics of open-source software and looking at the lasts posts of full-disclosure I don't wonder why :)

- Henri Salo

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ