Pretty sure this is like the 50th time this year you send an email regarding a vulnerability without actually specifying the vulnerability, are you sure your client isn't cutting out parts of your messages?
2013/12/8 MustLive <[email protected]> > Hello list! > > Earlier I wrote about one vulnerability in WordPress, which were hiddenly > fixed in version 3.5.2 (http://seclists.org/fulldisclosure/2013/Jul/70) > and about nine vulnerabilities in versions 3.6 and 3.6.1 ( > http://seclists.org/fulldisclosure/2013/Nov/220). Here are new ones. > > These are hiddenly fixed vulnerabilities in such versions of WordPress as > 3.5 and 3.5.1. Developers of WP intentionally haven't wrote about them to > decrease official number of fixed holes. Which is typical for them - since > 2007 they often hide fixed vulnerabilities. > > As I wrote in July (http://websecurity.com.ua/6634/), there are multiple > vulnerabilities in Akismet plugin, which bundles with core of WordPress, so > all holes in this plugin directly related to WP. But developers typically > fix holes in Akismet without mentioning about them among fixed in WP (in > official announcement), they even didn't mentioned in announcement or Codex > about updating version of the plugin. At that they wrote about fixed holes > in plugin's changelog, but didn't write about fixed holes, which I informed > in 2012 (and didn't fix all the holes). So these vulnerabilities were > hiddenly fixed in WP 3.5 and 3.5.1, only mentioned in the changelog ( > http://wordpress.org/plugins/akismet/changelog/). > > WordPress 3.5.1: > > In this version of WP the Akismet was updated from 2.5.6 to 2.5.7. In it > there were fixed few Full path disclosure vulnerabilities and added > .htaccess to block direct access to plugin's files (which can be used for > protecting against FPD, XSS and Redirector vulnerabilities disclosed by me > in 2012). > > Vulnerable are WordPress 3.5 and previous versions. > > WordPress 3.5.2: > > In this version of WP the Akismet was updated from 2.5.7 to 2.5.8. In it > there are security improvements (they didn't specify the details). > > Vulnerable are WordPress 3.5.1 and previous versions. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
