> Hi, > > 2008/11/7 Thijs Kinkhorst <[EMAIL PROTECTED]>: > > Hi, > > > > I don't think this is a grave security issue. It is only a DoS for one > > client > > application, which requires another vulnerability to be present, can be > > It is not just about the DoS (because as I demonstrated, there are > other possible attacks). > The whole point is that wordpress' (ab)use of $_REQUEST is leading to > more and more possible attacks (as I also demonstrated by showing how > etch's version is less worst than lenny's).
All attacks can be done only by setting malicious cookies. With a standard apache/php configuration, cookies can only be set for the current subdomain (foo.bar.com) and not for the entire domain (.bar.com). However you can act on the php.ini changing the domain value with a php script but I don't think that's wordpress' fault if the server administrator allows you to dinamically change such configuration with a simple script! 99% of the public hoster which give you a yourname.hoster.com do not allow you to change the domain value for the cookies and so should people do if hosting multiple websites with teir debian machine. > I do really believe it deservers to be considered as critical; > although if you (or anyone else from the team) really insists I would > not accept anything below important. Think about web hosting services > where they share the same domain but use a different subdomain, it is > possible for one site to inject cookies that will affect the others. As I said if they allow such dangerous practises as dinamic change of php.ini values that's not wordpress' fault. You can exploit almost every web application overwriting it's cookies! Cheers. Andrea.
signature.asc
Description: Questa รจ una parte del messaggio firmata digitalmente
