Secure testing team - Aug 2009 - r12566 - data/CVE

Author: nion
Date: 2009-08-11 18:43:00 +0000 (Tue, 11 Aug 2009)
New Revision: 12566

Modified:
   data/CVE/list
Log:
track new wordpress issue

Modified: data/CVE/list
==================================================================---
data/CVE/list	2009-08-11 18:22:31 UTC (rev 12565)
+++ data/CVE/list	2009-08-11 18:43:00 UTC (rev 12566)
@@ -1,3 +1,8 @@
+CVE-2009-XXXX [wordpress password reset]
+	- wordpress <unfixed> (unimportant; bug #541102)
+	[lenny] - wordpress <no-dsa> (Minor issue)
+	[etch] - wordpress <no-dsa> (Minor issue)
+	NOTE: not really a security issue in my opinion, just an annoying bug
 CVE-2009-XXXX [libxerces2-java: xml-based firewall bypass / port scanning]
 	- libxerces2-java <unfixed> (low; bug #540862)
 	[etch] - libxerces2-java <no-dsa> (minor issue)

On Tue, 11 Aug 2009 18:43:00 +0000, Nico Golde wrote:
> Author: nion
> Date: 2009-08-11 18:43:00 +0000 (Tue, 11 Aug 2009)
> New Revision: 12566
> 
> Modified:
>    data/CVE/list
> Log:
> track new wordpress issue
> 
> Modified: data/CVE/list
> ==================================================================> ---
data/CVE/list	2009-08-11 18:22:31 UTC (rev 12565)
> +++ data/CVE/list	2009-08-11 18:43:00 UTC (rev 12566)
> @@ -1,3 +1,8 @@
> +CVE-2009-XXXX [wordpress password reset]
> +	- wordpress <unfixed> (unimportant; bug #541102)
> +	[lenny] - wordpress <no-dsa> (Minor issue)
> +	[etch] - wordpress <no-dsa> (Minor issue)
> +	NOTE: not really a security issue in my opinion, just an annoying bug
i think there is some concern here.  if i were running wordpress, i
would not want an attacker to be able change my account''s password
without authentication.

although, the question is, what can the attacker do once they have
access to a wordpress account?  not a whole lot; just use wordpress''s
functionality. i would say we should want to fix it and probably push
out updates in ospu/spu''s.

mike

Michael S. Gilbert ha scritto:
> although, the question is, what can the attacker do once they have
> access to a wordpress account?  
Note that attacker do not have access to a wordpress account, he can only send
the reset password in admin email.

Cheers,
Giuseppe



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090812/bcf872ea/attachment.pgp>

On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote:
> Michael S. Gilbert ha scritto:
> 
> > although, the question is, what can the attacker do once they have
> > access to a wordpress account?  
> 
> Note that attacker do not have access to a wordpress account, he can only
send
> the reset password in admin email.
if the attacker can send a password reset request, they can then change
the password, right?  or does that just send an email back to the valid
user?  if that''s the case, then yes, the worst is that someone could do
is cause some annoyance by generating those mails.

note that fedora pushed updates for this today, so they must consider
it to be of worthwhile concern.  not that we should view their opinion
as definitive, but it is more evidence that this is a real issue.

mike

Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-11
21:37]:
> On Tue, 11 Aug 2009 18:43:00 +0000, Nico Golde wrote:
> > Author: nion
> > Date: 2009-08-11 18:43:00 +0000 (Tue, 11 Aug 2009)
> > New Revision: 12566
> > 
> > Modified:
> >    data/CVE/list
> > Log:
> > track new wordpress issue
> > 
> > Modified: data/CVE/list
> > ==================================================================>
> --- data/CVE/list	2009-08-11 18:22:31 UTC (rev 12565)
> > +++ data/CVE/list	2009-08-11 18:43:00 UTC (rev 12566)
> > @@ -1,3 +1,8 @@
> > +CVE-2009-XXXX [wordpress password reset]
> > +	- wordpress <unfixed> (unimportant; bug #541102)
> > +	[lenny] - wordpress <no-dsa> (Minor issue)
> > +	[etch] - wordpress <no-dsa> (Minor issue)
> > +	NOTE: not really a security issue in my opinion, just an annoying
bug
> 
> i think there is some concern here.  if i were running wordpress, i
> would not want an attacker to be able change my account''s password
> without authentication.
Guessing an email address is also not authentication. There 
is no security issue here, it''s a bug, yes an annoying one 
but nothing more.
> although, the question is, what can the attacker do once they have
> access to a wordpress account?  not a whole lot; just use
wordpress''s
> functionality. i would say we should want to fix it and probably push
> out updates in ospu/spu''s.
I don''t get your point, there is no account compromising 
here. If there would be editing other peoples entries can be 
damage as well, e.g. in business environments.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090812/23ec027b/attachment.pgp>

Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-12
11:58]:
> On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote:
> > Michael S. Gilbert ha scritto:
> > 
> > > although, the question is, what can the attacker do once they
have
> > > access to a wordpress account?  
> > 
> > Note that attacker do not have access to a wordpress account, he can
only send
> > the reset password in admin email.
> 
> if the attacker can send a password reset request, they can then change
> the password, right?  or does that just send an email back to the valid
> user?  if that''s the case, then yes, the worst is that someone
could do
> is cause some annoyance by generating those mails.
Are you analysing the vulnerability you are tracking in the 
tracker or what? Sorry these discussions become pretty 
annoying and time consuming. Read the advisory and the code 
and you will see that this is not a reset in the meaning of 
an admin having a blank password after it.
Fix some code and work on patches instead, way more useful.
> note that fedora pushed updates for this today, so they must consider
> it to be of worthwhile concern.
Who cares...

[...] 

Cheers
Nico (annoyed)
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090812/6492c631/attachment.pgp>

On Wed, 12 Aug 2009 14:21:33 +0200, Nico Golde wrote:
> Hi,
> * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-12
11:58]:
> > On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote:
> > > Michael S. Gilbert ha scritto:
> > > 
> > > > although, the question is, what can the attacker do once
they have
> > > > access to a wordpress account?  
> > > 
> > > Note that attacker do not have access to a wordpress account, he
can only send
> > > the reset password in admin email.
> > 
> > if the attacker can send a password reset request, they can then
change
> > the password, right?  or does that just send an email back to the
valid
> > user?  if that''s the case, then yes, the worst is that
someone could do
> > is cause some annoyance by generating those mails.
> 
> Are you analysing the vulnerability you are tracking in the 
> tracker or what? Sorry these discussions become pretty 
> annoying and time consuming. Read the advisory and the code 
> and you will see that this is not a reset in the meaning of 
> an admin having a blank password after it.
ok, so there was some conflicting information in some of the
discussion, which lead me to believe account compromise was possible.
it''s clear now that this is not the case.
> Fix some code and work on patches instead, way more useful.
i generated patches for poppler, and no one cared to respond...

mike