[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPMrQTR8a=TaCFhdkXRH3r9u+MegCXP0vXkwBOm+EjksrT8Jjg@mail.gmail.com>
Date: Mon, 9 Dec 2013 01:30:21 +0200
From: Julius Kivimäki <julius.kivimaki@...il.com>
To: MustLive <mustlive@...security.com.ua>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
submissions@...ketstormsecurity.org
Subject: Re: Vulnerabilities hiddenly fixed in WordPress
3.5 and 3.5.1
Pretty sure this is like the 50th time this year you send an email
regarding a vulnerability without actually specifying the vulnerability,
are you sure your client isn't cutting out parts of your messages?
2013/12/8 MustLive <mustlive@...security.com.ua>
> Hello list!
>
> Earlier I wrote about one vulnerability in WordPress, which were hiddenly
> fixed in version 3.5.2 (http://seclists.org/fulldisclosure/2013/Jul/70)
> and about nine vulnerabilities in versions 3.6 and 3.6.1 (
> http://seclists.org/fulldisclosure/2013/Nov/220). Here are new ones.
>
> These are hiddenly fixed vulnerabilities in such versions of WordPress as
> 3.5 and 3.5.1. Developers of WP intentionally haven't wrote about them to
> decrease official number of fixed holes. Which is typical for them - since
> 2007 they often hide fixed vulnerabilities.
>
> As I wrote in July (http://websecurity.com.ua/6634/), there are multiple
> vulnerabilities in Akismet plugin, which bundles with core of WordPress, so
> all holes in this plugin directly related to WP. But developers typically
> fix holes in Akismet without mentioning about them among fixed in WP (in
> official announcement), they even didn't mentioned in announcement or Codex
> about updating version of the plugin. At that they wrote about fixed holes
> in plugin's changelog, but didn't write about fixed holes, which I informed
> in 2012 (and didn't fix all the holes). So these vulnerabilities were
> hiddenly fixed in WP 3.5 and 3.5.1, only mentioned in the changelog (
> http://wordpress.org/plugins/akismet/changelog/).
>
> WordPress 3.5.1:
>
> In this version of WP the Akismet was updated from 2.5.6 to 2.5.7. In it
> there were fixed few Full path disclosure vulnerabilities and added
> .htaccess to block direct access to plugin's files (which can be used for
> protecting against FPD, XSS and Redirector vulnerabilities disclosed by me
> in 2012).
>
> Vulnerable are WordPress 3.5 and previous versions.
>
> WordPress 3.5.2:
>
> In this version of WP the Akismet was updated from 2.5.7 to 2.5.8. In it
> there are security improvements (they didn't specify the details).
>
> Vulnerable are WordPress 3.5.1 and previous versions.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists