[Secure-testing-team] [Secure-testing-commits] r12566 - data/CVE
Nico Golde
debian-secure-testing+ml at ngolde.de
Wed Aug 12 12:21:33 UTC 2009
Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-12 11:58]:
> On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote:
> > Michael S. Gilbert ha scritto:
> >
> > > although, the question is, what can the attacker do once they have
> > > access to a wordpress account?
> >
> > Note that attacker do not have access to a wordpress account, he can only send
> > the reset password in admin email.
>
> if the attacker can send a password reset request, they can then change
> the password, right? or does that just send an email back to the valid
> user? if that's the case, then yes, the worst is that someone could do
> is cause some annoyance by generating those mails.
Are you analysing the vulnerability you are tracking in the
tracker or what? Sorry these discussions become pretty
annoying and time consuming. Read the advisory and the code
and you will see that this is not a reset in the meaning of
an admin having a blank password after it.
Fix some code and work on patches instead, way more useful.
> note that fedora pushed updates for this today, so they must consider
> it to be of worthwhile concern.
Who cares...
[...]
Cheers
Nico (annoyed)
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090812/6492c631/attachment.pgp>
More information about the Secure-testing-team
mailing list