Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 26 Jan 2012 03:24:45 +0200
From: Henri Salo <henri@...v.fi>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: TWSL2012-002: Multiple Vulnerabilities in
 WordPress

On Wed, Jan 25, 2012 at 05:02:58PM -0700, Kurt Seifried wrote:
> On 01/25/2012 08:31 AM, Henri Salo wrote:
> > FYI: http://seclists.org/fulldisclosure/2012/Jan/416
> > 
> > - Henri
> 
> Uh correct me if I am wrong but these already have CVE's? From the link:
> 
> Finding 1: PHP Code Execution and Persistent Cross Site Scripting
> Vulnerabilities via 'setup-config.php' page.
> CVE: CVE-2011-4899
> 
> Finding 2: Multiple Cross Site Scripting Vulnerabilities in
> 'setup-config.php' page
> CVE: CVE-2012-0782
> 
> Finding 3: MySQL Server Username/Password Disclosure Vulnerability via
> 'setup-config.php' page
> CVE: CVE-2011-4898

Yes you are correct. My point was to share this information with oss-security and the information being that WordPress is not going to fix these issues. Not everyone from oss-security is reading full-disclosure and still want to kno security-related topics of open-source software and looking at the lasts posts of full-disclosure I don't wonder why :)

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.