On Tue, 11 Aug 2009 18:43:00 +0000, Nico Golde wrote: > Author: nion > Date: 2009-08-11 18:43:00 +0000 (Tue, 11 Aug 2009) > New Revision: 12566 > > Modified: > data/CVE/list > Log: > track new wordpress issue > > Modified: data/CVE/list > =================================================================== > --- data/CVE/list 2009-08-11 18:22:31 UTC (rev 12565) > +++ data/CVE/list 2009-08-11 18:43:00 UTC (rev 12566) > @@ -1,3 +1,8 @@ > +CVE-2009-XXXX [wordpress password reset] > + - wordpress <unfixed> (unimportant; bug #541102) > + [lenny] - wordpress <no-dsa> (Minor issue) > + [etch] - wordpress <no-dsa> (Minor issue) > + NOTE: not really a security issue in my opinion, just an annoying bug
i think there is some concern here. if i were running wordpress, i would not want an attacker to be able change my account's password without authentication. although, the question is, what can the attacker do once they have access to a wordpress account? not a whole lot; just use wordpress's functionality. i would say we should want to fix it and probably push out updates in ospu/spu's. mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
