[Secure-testing-team] [Secure-testing-commits] r12566 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Tue Aug 11 19:13:14 UTC 2009
On Tue, 11 Aug 2009 18:43:00 +0000, Nico Golde wrote:
> Author: nion
> Date: 2009-08-11 18:43:00 +0000 (Tue, 11 Aug 2009)
> New Revision: 12566
>
> Modified:
> data/CVE/list
> Log:
> track new wordpress issue
>
> Modified: data/CVE/list
> ===================================================================
> --- data/CVE/list 2009-08-11 18:22:31 UTC (rev 12565)
> +++ data/CVE/list 2009-08-11 18:43:00 UTC (rev 12566)
> @@ -1,3 +1,8 @@
> +CVE-2009-XXXX [wordpress password reset]
> + - wordpress <unfixed> (unimportant; bug #541102)
> + [lenny] - wordpress <no-dsa> (Minor issue)
> + [etch] - wordpress <no-dsa> (Minor issue)
> + NOTE: not really a security issue in my opinion, just an annoying bug
i think there is some concern here. if i were running wordpress, i
would not want an attacker to be able change my account's password
without authentication.
although, the question is, what can the attacker do once they have
access to a wordpress account? not a whole lot; just use wordpress's
functionality. i would say we should want to fix it and probably push
out updates in ospu/spu's.
mike
More information about the Secure-testing-team
mailing list