lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: security at dylanic.de (Michael Renzmann)
Subject: Cafelog WordPress / b2 SQL injection vulnerabilities
 discovered and fixed in CVS

Hi.

Seth Woolley wrote:
> Disclaimer:
> I (Seth) am not a php expert, and I don't run this code, so I haven't
> tested the vendor-provided patch yet, although I assume the vendor has.
> Be advised.

I tested the patch against the current release version of wordpress 
(v0.71). Although I couldn't notice any harm with the provided example 
for the blog I run with this wordpress version, I applied the patch and 
couldn't see any negative impact.

Actually, chances are good that I don't make use of the part of 
Wordpress that would have been compromised by the provided exploit 
example. If anyone could provide another working (and non-destructive 
;)) exploit I'd be willing to test it against both, the release version 
any "my" patched version, in order to verify that the provided patch 
works for 0.71. Or let me know which feature needs to be turned on in 
order to test the effect of the exploit (please be patient with me, I'm 
a Wordpress newbie ;)).

Bye, Mike


Powered by blists - more mailing lists