Hi, * Michael S. Gilbert <[email protected]> [2009-08-11 21:37]: > On Tue, 11 Aug 2009 18:43:00 +0000, Nico Golde wrote: > > Author: nion > > Date: 2009-08-11 18:43:00 +0000 (Tue, 11 Aug 2009) > > New Revision: 12566 > > > > Modified: > > data/CVE/list > > Log: > > track new wordpress issue > > > > Modified: data/CVE/list > > =================================================================== > > --- data/CVE/list 2009-08-11 18:22:31 UTC (rev 12565) > > +++ data/CVE/list 2009-08-11 18:43:00 UTC (rev 12566) > > @@ -1,3 +1,8 @@ > > +CVE-2009-XXXX [wordpress password reset] > > + - wordpress <unfixed> (unimportant; bug #541102) > > + [lenny] - wordpress <no-dsa> (Minor issue) > > + [etch] - wordpress <no-dsa> (Minor issue) > > + NOTE: not really a security issue in my opinion, just an annoying bug > > i think there is some concern here. if i were running wordpress, i > would not want an attacker to be able change my account's password > without authentication.
Guessing an email address is also not authentication. There is no security issue here, it's a bug, yes an annoying one but nothing more. > although, the question is, what can the attacker do once they have > access to a wordpress account? not a whole lot; just use wordpress's > functionality. i would say we should want to fix it and probably push > out updates in ospu/spu's. I don't get your point, there is no account compromising here. If there would be editing other peoples entries can be damage as well, e.g. in business environments. Cheers Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpExDFIaJKPp.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
