lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABRvpqCH6h=GegrC1r4QgWSO3nxH0GPNSUJ6b_K4Kk5+L+3Dqw@mail.gmail.com>
Date: Tue, 11 Feb 2014 03:34:43 -0500
From: Andrew Nacin <nacin@...dpress.org>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DoS via tables corruption in WordPress

On Mon, Feb 10, 2014 at 8:02 AM, MustLive <mustlive@...security.com.ua>wrote:
>
> There is DoS vulnerability in WordPress, <snip>


As pointed out by others, this is unbearably vague.

But it's also invalid.

Your "attack" requires that a maintenance script to repair tables is left
open for anyone to access. The constant that you point out must be
set, WP_ALLOW_REPAIR,
is only there so a user can access this script, run the script, then remove
the constant (as the script instructs).

Your suggestion appears to be to validate the logged-in user. But because
this script is to fix a *corrupt database,* we would have no way of
authenticating users. Thus, the script is instead secured by a temporary
configuration change.

Aris mentions he experienced corruption in his own WordPress setup. It's
most likely the options table simply crashed, not as a result of any
particular exploit. This is, after all, why MySQL has a REPAIR command (and
why we have a script for users to use).

I have read to quite a few of your "attacks" against WordPress core, but I
don't recall ever reading a valid one.

Perhaps for WordPress issues you should switch from "full disclosure" to a
more responsible course of action, such as contacting us first (
security@...dpress.org) so we can evaluate it. I understand the general
appeal of full disclosure, but when all you're doing is publishing invalid
vulnerabilities, it's only spreading FUD and also making it tough for
others to take any of your "attacks" seriously. This mailing list would
probably appreciate the higher signal-to-noise ratio.

Regards,

Andrew Nacin
Lead Developer
WordPress

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ