[Full-Disclosure] Cafelog WordPress / b2 SQL injection vulnerabilities discovered and fixed in CVS
Michael Renzmann
security at dylanic.de
Fri Oct 3 09:40:17 BST 2003
Hi.
Seth Woolley wrote:
> Disclaimer:
> I (Seth) am not a php expert, and I don't run this code, so I haven't
> tested the vendor-provided patch yet, although I assume the vendor has.
> Be advised.
I tested the patch against the current release version of wordpress
(v0.71). Although I couldn't notice any harm with the provided example
for the blog I run with this wordpress version, I applied the patch and
couldn't see any negative impact.
Actually, chances are good that I don't make use of the part of
Wordpress that would have been compromised by the provided exploit
example. If anyone could provide another working (and non-destructive
;)) exploit I'd be willing to test it against both, the release version
any "my" patched version, in order to verify that the provided patch
works for 0.71. Or let me know which feature needs to be turned on in
order to test the effect of the exploit (please be patient with me, I'm
a Wordpress newbie ;)).
Bye, Mike
Full-Disclosure is hosted and sponsored by Secunia.