[Secure-testing-team] [Secure-testing-commits] r12566 - data/CVE
Michael S. Gilbert
michael.s.gilbert at gmail.com
Wed Aug 12 16:00:01 UTC 2009
On Wed, 12 Aug 2009 14:21:33 +0200, Nico Golde wrote:
> Hi,
> * Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-12 11:58]:
> > On Wed, 12 Aug 2009 06:20:25 +0200 Giuseppe Iuculano wrote:
> > > Michael S. Gilbert ha scritto:
> > >
> > > > although, the question is, what can the attacker do once they have
> > > > access to a wordpress account?
> > >
> > > Note that attacker do not have access to a wordpress account, he can only send
> > > the reset password in admin email.
> >
> > if the attacker can send a password reset request, they can then change
> > the password, right? or does that just send an email back to the valid
> > user? if that's the case, then yes, the worst is that someone could do
> > is cause some annoyance by generating those mails.
>
> Are you analysing the vulnerability you are tracking in the
> tracker or what? Sorry these discussions become pretty
> annoying and time consuming. Read the advisory and the code
> and you will see that this is not a reset in the meaning of
> an admin having a blank password after it.
ok, so there was some conflicting information in some of the
discussion, which lead me to believe account compromise was possible.
it's clear now that this is not the case.
> Fix some code and work on patches instead, way more useful.
i generated patches for poppler, and no one cared to respond...
mike
More information about the Secure-testing-team
mailing list