[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <00c401ceff5f$64792500$9b7a6fd5@pc>
Date: Sun, 22 Dec 2013 23:45:24 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: Julius Kivimäki <julius.kivimaki@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Vulnerabilities hiddenly fixed in WordPress
3.5 and 3.5.1
Hello Julius!
Concerning your tone see Post Scriptum.
Concerning your question, then no, my mail-client doesn't cut anything :-).
The last two e-mails with subjects "Vulnerabilities hiddenly fixed in
WordPress 3.5 and 3.5.1" and "Vulnerabilities hiddenly fixed in WordPress
3.6 and 3.6.1" were not advisories, but informative letters. Thus they were
not designed to have detailed description of vulnerabilities, just
information about non-serious developers who hiddenly fixed multiple
vulnerabilities in different versions of their software.
I see it all the time, when lame developers hiddenly fix holes in their
software (many developers do it, with different amount of holes hiddenly
fixed, but still do it), so I decided on example of WordPress bring
attention to this issue. Since I look after security of this web application
since 2006 and found many cases of such activity from WP developers (as
concerning holes which I found, as found by other security researchers), and
wrote about many such cases in previous years.
So in both these letter I wrote only the lists of hidden fixes (not details
of vulnerabilities). In the second letter I wrote, that developers didn't
mentioned about these holes not in announcement, nor in Codex, only
mentioned in the changelog of the plugin (which you can see by the link,
which I provided).
> without actually specifying the vulnerability
I can understand dislike of advisories without details. I also don't like
such advisories, like VUPEN's ones (http://securityvulns.ru/docs29802.html).
But my two letters were not advisories.
In my July's letter (http://seclists.org/fulldisclosure/2013/Jul/70) I wrote
details about FPD vulnerability, which was hiddenly fixed, because it was
advisory, but the last two letters were just informative ones, as I wrote
above. Besides, in the last letter I described in details about a fix with
adding .htaccess file, which is maximum necessary description for it - what
did you not understand with it. This fix solves vulnerabilities which I
disclosed last year, which are available in the list
(http://seclists.org/fulldisclosure/2012/Jul/14 and
http://seclists.org/fulldisclosure/2012/Jul/221).
P.S.
> Pretty sure this is like the 50th time this year you send an email
> regarding a vulnerability without actually specifying the vulnerability
I don't like lie and trolling (and trolls lie the most). Not this year, not
any previous, nor during last 9 years in total, I didn't write 50 (or close
numbers) e-mails about vulnerabilities without specifying their details. So
you are completely wrong.
Even I forgave your two trolling attempts earlier this year, but not this
time. So I've blacklisted you for trolling and you should never comment on
my letters not to my e-mail address, nor to the list.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: Julius Kivimäki
To: MustLive
Cc: submissions@...ketstormsecurity.org ; full-disclosure@...ts.grok.org.uk
Sent: Monday, December 09, 2013 1:30 AM
Subject: Re: [Full-disclosure] Vulnerabilities hiddenly fixed in WordPress
3.5 and 3.5.1
Pretty sure this is like the 50th time this year you send an email regarding
a vulnerability without actually specifying the vulnerability, are you sure
your client isn't cutting out parts of your messages?
2013/12/8 MustLive <mustlive@...security.com.ua>
Hello list!
Earlier I wrote about one vulnerability in WordPress, which were hiddenly
fixed in version 3.5.2 (http://seclists.org/fulldisclosure/2013/Jul/70) and
about nine vulnerabilities in versions 3.6 and 3.6.1
(http://seclists.org/fulldisclosure/2013/Nov/220). Here are new ones.
These are hiddenly fixed vulnerabilities in such versions of WordPress as
3.5 and 3.5.1. Developers of WP intentionally haven't wrote about them to
decrease official number of fixed holes. Which is typical for them - since
2007 they often hide fixed vulnerabilities.
As I wrote in July (http://websecurity.com.ua/6634/), there are multiple
vulnerabilities in Akismet plugin, which bundles with core of WordPress, so
all holes in this plugin directly related to WP. But developers typically
fix holes in Akismet without mentioning about them among fixed in WP (in
official announcement), they even didn't mentioned in announcement or Codex
about updating version of the plugin. At that they wrote about fixed holes
in plugin's changelog, but didn't write about fixed holes, which I informed
in 2012 (and didn't fix all the holes). So these vulnerabilities were
hiddenly fixed in WP 3.5 and 3.5.1, only mentioned in the changelog
(http://wordpress.org/plugins/akismet/changelog/).
WordPress 3.5.1:
In this version of WP the Akismet was updated from 2.5.6 to 2.5.7. In it
there were fixed few Full path disclosure vulnerabilities and added
.htaccess to block direct access to plugin's files (which can be used for
protecting against FPD, XSS and Redirector vulnerabilities disclosed by me
in 2012).
Vulnerable are WordPress 3.5 and previous versions.
WordPress 3.5.2:
In this version of WP the Akismet was updated from 2.5.7 to 2.5.8. In it
there are security improvements (they didn't specify the details).
Vulnerable are WordPress 3.5.1 and previous versions.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists