Hi, * Michael S. Gilbert <[email protected]> [2009-08-12 11:58]: > On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote: > > Michael S. Gilbert ha scritto: > > > > > although, the question is, what can the attacker do once they have > > > access to a wordpress account? > > > > Note that attacker do not have access to a wordpress account, he can only > > send > > the reset password in admin email. > > if the attacker can send a password reset request, they can then change > the password, right? or does that just send an email back to the valid > user? if that's the case, then yes, the worst is that someone could do > is cause some annoyance by generating those mails.
Are you analysing the vulnerability you are tracking in the tracker or what? Sorry these discussions become pretty annoying and time consuming. Read the advisory and the code and you will see that this is not a reset in the meaning of an admin having a blank password after it. Fix some code and work on patches instead, way more useful. > note that fedora pushed updates for this today, so they must consider > it to be of worthwhile concern. Who cares... [...] Cheers Nico (annoyed) -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpxkX50dDOFZ.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
