Package: wordpress Version: 2.0.7-1 Severity: grave Tags: security Hi,
Due to the completely incorrect usage of $_REQUEST almost all over the place wordpress is subject to delayed attacks via cookies. The attack can be performed as long as there is some way to inject a cookie which is sent by the browser to the server. Note that this means that some XSS vulnerability in wordpress or in any other service, or even by visiting a malicious site under the same domain could lead to any of the following (and even lots more) attacks. Attack: Denial Of Service Required cookies: GLOBALS=<anything> Triggering file: index.php (just an example, basically any file including the affected file) Affected file: wp-settings.php Effect: no request is processed as it aborts because of the presence of GLOBALS in $_REQUEST Attack: Deletion of users Required cookies: action=dodelete, delete_option=delete, users[]=n (where n is an integer) Triggering file: wp-admin/users.php Affected file: wp-admin/users.php Note: this doesn't affect etch's version as it correctly uses $_POST Attack: Denial Of Service Required cookies: action=logout Triggering file: wp-login.php Affected file: wp-login.php Effect: redirection loop, preventing the user from logging in etc Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
