lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <01ed01cef460$38b7cb10$9b7a6fd5@pc>
Date: Sun, 8 Dec 2013 23:55:01 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities hiddenly fixed in WordPress 3.5
	and 3.5.1

Hello list!

Earlier I wrote about one vulnerability in WordPress, which were hiddenly 
fixed in version 3.5.2 (http://seclists.org/fulldisclosure/2013/Jul/70) and 
about nine vulnerabilities in versions 3.6 and 3.6.1 
(http://seclists.org/fulldisclosure/2013/Nov/220). Here are new ones.

These are hiddenly fixed vulnerabilities in such versions of WordPress as 
3.5 and 3.5.1. Developers of WP intentionally haven't wrote about them to 
decrease official number of fixed holes. Which is typical for them - since 
2007 they often hide fixed vulnerabilities.

As I wrote in July (http://websecurity.com.ua/6634/), there are multiple 
vulnerabilities in Akismet plugin, which bundles with core of WordPress, so 
all holes in this plugin directly related to WP. But developers typically 
fix holes in Akismet without mentioning about them among fixed in WP (in 
official announcement), they even didn't mentioned in announcement or Codex 
about updating version of the plugin. At that they wrote about fixed holes 
in plugin's changelog, but didn't write about fixed holes, which I informed 
in 2012 (and didn't fix all the holes). So these vulnerabilities were 
hiddenly fixed in WP 3.5 and 3.5.1, only mentioned in the changelog 
(http://wordpress.org/plugins/akismet/changelog/).

WordPress 3.5.1:

In this version of WP the Akismet was updated from 2.5.6 to 2.5.7. In it 
there were fixed few Full path disclosure vulnerabilities and added 
.htaccess to block direct access to plugin's files (which can be used for 
protecting against FPD, XSS and Redirector vulnerabilities disclosed by me 
in 2012).

Vulnerable are WordPress 3.5 and previous versions.

WordPress 3.5.2:

In this version of WP the Akismet was updated from 2.5.7 to 2.5.8. In it 
there are security improvements (they didn't specify the details).

Vulnerable are WordPress 3.5.1 and previous versions.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists