| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 01 Dec 2014 16:37:33 +0100 From: C0r3dump3d <coredump@...istici.org> To: fulldisclosure@...lists.org Subject: [FD] CVE-2014-9016 and CVE-2014-9034. Wordpress and Drupal DOS ==================================================================== DESCRIPTION: ==================================================================== A vulnerability present in Wordpress < 4.0.1 and Drupal < 7.34 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). ==================================================================== Time Line: ==================================================================== November 19, 2014 - A Drupal security update and the security advisory is published. November 20, 2014 - A Wordpress security update and the security advisory is published. ==================================================================== Proof of Concept: ==================================================================== http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve- 2014-9034-PoC.html ==================================================================== Authors: ==================================================================== -- Javer Nieto -- http://www.behindthefirewalls.com -- Andres Rojas -- http://www.devconsole.info ==================================================================== References: ==================================================================== * https://wordpress.org/news/2014/11/wordpress-4-0-1/ * https://www.drupal.org/SA-CORE-2014-006 * http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html * http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html * http://www.devconsole.info/?p=1050 _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists