2008/11/7 Andrea De Iacovo <[EMAIL PROTECTED]>: >> Package: wordpress >> Version: 2.0.7-1 >> Severity: grave >> Tags: security >> >> Hi, >> >> Due to the completely incorrect usage of $_REQUEST almost all over the place >> wordpress is subject to delayed attacks via cookies. >> >> The attack can be performed as long as there is some way to inject a cookie >> which is sent by the browser to the server. Note that this means that some >> XSS vulnerability in wordpress or in any other service, or even by visiting a >> malicious site under the same domain could lead to any of the following (and >> even lots more) attacks. > I agree that the problem exists but I don't think it's a grave one. > As you said, before exploiting wordpress we need to inject a maliciuos > cookie and if we can do such things I really don't think the problem is > going to be wordpress. > > At the moment there are no known XSS isues for wordpress (in lenny/sid > and experimental) so I think the problem really applies to etch only > (for which we still have CVE-2008-2068 and CVE-2007-4483).
Think about this situation: You have a blog hosting account at domain.tld, they provide you a subdomain called 'myblog' (i.e. myblog.domain.tld). Other folks just like you do also have their blogs or websites or they whatever hosted by domain.tld (anotherblog.domain.tld, www.domain.tld, myshop.domain.tld, etc). If any of those many sites has a an XSS vulnerability, or anything else that could lead to the injection of a cookie for the '.domain.tld' domain *everyone* would be affected. > > At the moment the entire wordpress structure is base on the use of > $_REQUEST and this is obviously one of the worst errors developers could > do; the changes to apply to get rid of this bad use of $_REQUEST are > really important so I don't think I should do something without the help > of upstream developers. Sure > > As soon as the CVE gets confirmed I'll file a bug upstream asking to > modify wordpress to use $_GET $_POST and $_COOKIES. Please do not wait. > > Thank you very much for reporting this. > > Cheers. > > Andrea De Iacovo > Cheers, -- Raphael Geissert - Debian Maintainer www.debian.org - get.debian.net Chris Rock - "You don't pay taxes - they take taxes." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
