On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote: > Michael S. Gilbert ha scritto: > > > although, the question is, what can the attacker do once they have > > access to a wordpress account? > > Note that attacker do not have access to a wordpress account, he can only send > the reset password in admin email.
if the attacker can send a password reset request, they can then change the password, right? or does that just send an email back to the valid user? if that's the case, then yes, the worst is that someone could do is cause some annoyance by generating those mails. note that fedora pushed updates for this today, so they must consider it to be of worthwhile concern. not that we should view their opinion as definitive, but it is more evidence that this is a real issue. mike _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
