oss-sec mailing list archives

CVE request: wordpress can be subject of delayed attacks via cookies

From: Raphael Geissert <atomo64+debian () gmail com>
Date: Thu, 13 Nov 2008 21:05:17 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Due to the completely incorrect usage of $_REQUEST almost all over the place 
wordpress is subject to delayed attacks via cookies.

The attack can be performed as long as there is some way to inject a cookie 
which is sent by the browser to the server.

More info at http://bugs.debian.org/504771

Could a CVE id be assigned please?

Thanks in advance.

Kind regards,
- -- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkc6u0ACgkQYy49rUbZzlrmmQCfZNQ6ZERLCODohN1+TTvUcXvs
KHcAn1rGqXuxrvmPU70ULqeR75L3vp1X
=pVPw
-----END PGP SIGNATURE-----

Current thread:

CVE request: wordpress can be subject of delayed attacks via cookies Raphael Geissert (Nov 13)
- Re: CVE request: wordpress can be subject of delayed attacks via cookies Steven M. Christey (Nov 20)