lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <005801cad9a1$b7514880$010000c0@ml>
Date: Sun, 11 Apr 2010 21:04:51 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "julian steward" <julian.steward09@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Vulnerabilities in WordPress

Hello Julian!

Thanks for your attention to my advisories which I posted to
Full-Disclosure. It's looks like you lay them to heart too much :-).

But because your other two letters were too lame and you demonstrated not
serious behavior, I have put your e-mail into blacklist. I did it just after
receiving your three letters. So don't waste your time writing me anymore.

I hope this will help you to use your time for good purposes. If you don't
like any of my advisories to Full-Disclosure mailing list, then just ignore
it. My advisories are designed for those who is interested in them.

So use your time wisely, as I mentioned to the list before, when I banned
previous not serious one. This suggestion concerns every reader of all
security mailing lists.

> Wow, this sound serious...

Yes, because it's serious. As Brute Force vulnerability in function of
protecting pages/posts by a password, as Brute Force vulnerability at login
page. And taking into account all user enumeration vulnerabilities in
WordPress found by me and other security researches, and taking into account
Weak Password vulnerability in WordPress (http://websecurity.com.ua/2044/),
which I disclosed in 2008, the last hole becomes even more serious.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: julian steward
To: MustLive ; full-disclosure@...ts.grok.org.uk
Sent: Monday, March 22, 2010 2:13 AM
Subject: Re: [Full-disclosure] Vulnerabilities in WordPress


Wow, this sound serious...


On Sat, Mar 20, 2010 at 8:58 AM, MustLive <mustlive@...security.com.ua>
wrote:

Hello Full-Disclosure!

I want to warn you about vulnerabilities in WordPress.

-----------------------------
Advisory: Vulnerabilities in WordPress
-----------------------------
URL: http://websecurity.com.ua/4016/
-----------------------------
Timeline:

02.03.2010 - found the vulnerabilities.
02.03.2010 - didn't informed developers. After I informed WP developers
about multiple vulnerabilities in WordPress in December 2007 and they
ignored them - some didn't fix and some hiddenly fixed, without thanking me
and referencing me (they even didn't mention about those fixed holes in
release notes on official site) - starting from 2008 I never more inform
them about vulnerabilities in WordPress. These holes were posted to Bugtraq
(http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded).
09.03.2010 - disclosed at my site.
-----------------------------
Details:

These are Brute Force and Insufficient Authorization vulnerabilities.

Earlier in 2008 I already wrote about Brute Force vulnerability in WordPress
(http://websecurity.com.ua/2007/), which was found by Kad already in 2007
(http://securityvulns.ru/Pdocument580.html). And as I found at 02.03.2010 in
WordPress 2.9.2 this vulnerability still wasn't fixed. And also I found new
vulnerabilities in WP.

Brute Force:

There is no protection from picking up of a password (from Brute Force
attacks) in function of protecting pages/posts by a password.

Insufficient Authorization:

At every page/post in WP it's possible to set a password and these passwords
can be equal. But function of accessing by a password writes global cookie,
which works for the whole site. And so, after setting the password one time
for one page/post, it's possible to see all protected pages/posts (with the
same password, even without knowing that the password matches), because at a
request to them the access will be granted automatically.

Vulnerable are WordPress 2.9.2 and previous versions (all 2.x versions). I
tested in different versions of WP, particularly in 2.0.11 and 2.9.2.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ