[Secure-testing-team] [Secure-testing-commits] r12566 - data/CVE
Nico Golde
debian-secure-testing+ml at ngolde.de
Wed Aug 12 12:19:21 UTC 2009
Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-11 21:37]:
> On Tue, 11 Aug 2009 18:43:00 +0000, Nico Golde wrote:
> > Author: nion
> > Date: 2009-08-11 18:43:00 +0000 (Tue, 11 Aug 2009)
> > New Revision: 12566
> >
> > Modified:
> > data/CVE/list
> > Log:
> > track new wordpress issue
> >
> > Modified: data/CVE/list
> > ===================================================================
> > --- data/CVE/list 2009-08-11 18:22:31 UTC (rev 12565)
> > +++ data/CVE/list 2009-08-11 18:43:00 UTC (rev 12566)
> > @@ -1,3 +1,8 @@
> > +CVE-2009-XXXX [wordpress password reset]
> > + - wordpress <unfixed> (unimportant; bug #541102)
> > + [lenny] - wordpress <no-dsa> (Minor issue)
> > + [etch] - wordpress <no-dsa> (Minor issue)
> > + NOTE: not really a security issue in my opinion, just an annoying bug
>
> i think there is some concern here. if i were running wordpress, i
> would not want an attacker to be able change my account's password
> without authentication.
Guessing an email address is also not authentication. There
is no security issue here, it's a bug, yes an annoying one
but nothing more.
> although, the question is, what can the attacker do once they have
> access to a wordpress account? not a whole lot; just use wordpress's
> functionality. i would say we should want to fix it and probably push
> out updates in ospu/spu's.
I don't get your point, there is no account compromising
here. If there would be editing other peoples entries can be
damage as well, e.g. in business environments.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090812/23ec027b/attachment.pgp>
More information about the Secure-testing-team
mailing list