Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 18 Aug 2009 16:44:39 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Wordpress


These pre-2.8.3 issues were SPLIT into two CVEs because they are
effectively different flaw types, although this is splitting hairs
somewhat.

- Steve


======================================================
Name: CVE-2009-2853
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2853
Reference: MLIST:[oss-security] 20090804 CVE request: Wordpress
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/04/5
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/11768
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/11769
Reference: CONFIRM:http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/

Wordpress before 2.8.3 allows remote attackers to gain privileges via
a direct request to (1) admin-footer.php, (2) edit-category-form.php,
(3) edit-form-advanced.php, (4) edit-form-comment.php, (5)
edit-link-category-form.php, (6) edit-link-form.php, (7)
edit-page-form.php, and (8) edit-tag-form.php in wp-admin/.


======================================================
Name: CVE-2009-2854
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2854
Reference: MLIST:[oss-security] 20090804 CVE request: Wordpress
Reference: URL:http://www.openwall.com/lists/oss-security/2009/08/04/5
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/11765
Reference: CONFIRM:http://core.trac.wordpress.org/changeset/11766
Reference: CONFIRM:http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/

Wordpress before 2.8.3 does not check capabilities for certain
actions, which allows remote attackers to make unauthorized edits or
additions via a direct request to (1) edit-comments.php, (2)
edit-pages.php, (3) edit.php, (4) edit-category-form.php, (5)
edit-link-category-form.php, (6) edit-tag-form.php, (7) export.php,
(8) import.php, or (9) link-add.php in wp-admin/.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.