lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120125152239.GC4413@foo.fgeek.fi>
Date: Wed, 25 Jan 2012 17:22:39 +0200
From: Henri Salo <henri@...v.fi>
To: Trustwave Advisories <TrustwaveAdvisories@...stwave.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: TWSL2012-002: Multiple Vulnerabilities in
 WordPress

On Wed, Jan 25, 2012 at 08:43:34AM -0600, Trustwave Advisories wrote:
> The vendor was notified. They have chosen not to fix the issue at this time. The Vendor Response section has the details:
> 
> Vendor Response:
> Due to the fact that the component in question is an installation script,
> the vendor has stated that the attack surface is too small to warrant
> a fix:
> 
> "We give priority to a better user experience at the install process. It is
> unlikely a user would go to the trouble of installing a copy of WordPress
> and then not finishing the setup process more-or-less immediately. The
> window of opportunity for exploiting such a vulnerability is very small."
> 
> However, Trustwave SpiderLabs urges caution in situations where the
> WordPress installation script is provided as part of a default image.
> This is  often done as a convenience on hosting providers, even in
> cases where the client does not use the software. It is a best practice
> to ensure  that no installation scripts are exposed to outsiders, and
> these vulnerabilities reinforce the importance of this step.

There is A LOT of these open installation pages in the Internet. It is not uncommon to leave those open by accident. Some people also do this, because they just don't understand the risks. I am wondering if WordPress would apply patch if we create one as a collaborative effort. I would be more than happy to help creating a patch for this if this is the case.

- Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ