|
Message-ID: <Pine.GSO.4.51.0811202113470.20524@faron.mitre.org> Date: Thu, 20 Nov 2008 21:14:15 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE request: wordpress can be subject of delayed attacks via cookies ====================================================== Name: CVE-2008-5113 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113 Reference: MLIST:[oss-security] 20081113 CVE request: wordpress can be subject of delayed attacks via cookies Reference: URL:http://openwall.com/lists/oss-security/2008/11/14/1 Reference: CONFIRM:http://bugs.debian.org/504771 WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.