Re: Wordpress Malicious File Execution Vulnerability



Regarding this report of May 2008:
http://www.securityfocus.com/bid/29276
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2392

The report is invalid. This is not a vulnerability or a security flaw. Quite frankly, I think it's a joke.

The report itself states: "You must login into wordpress with Administrator Roles". If you have logged into WordPress with Admin roles, then you are the blog owner or administrator. The fact that you can then upload any sort of file you want is a feature, not a bug. The admin has unlimited rights to the site, because he is the admin. Obviously.

Suggest this be marked as invalid everywhere it's been incorrectly marked as valid.



Relevant Pages

  • RE: Rowsource of unbound object
    ... email address is invalid ... I have a form which has a Gantt chart. ... What I want to do is to change the report rowsource when the report opens to ...
    (microsoft.public.access.modulesdaovba)
  • Re: How to extract the underlying MDX
    ... The report parameter is coming from AS indeed, ... non-existing Dimension Member) has been used to make such a query: ... WORK]")), 1,0)' is able to catch an invalid MEASURE. ... what's the function of the CONSTRAINED flag? ...
    (microsoft.public.sqlserver.olap)
  • Re: My Python annoyances
    ... A few weeks later, noticing that you had not challenged his explanation, I closed after changing the Resolution box to Invalid. ... Real bug reports are quite welcome, as any honest person could determine by looking thru the tracker. ... I understand and agree that the number was the same bit pattern. ... All I saw was a comment on what might cause my problem, and then I saw that the problem report was closed. ...
    (comp.lang.python)
  • Invalid user problem
    ... I have a dozen of so users on my freebsd system, but I added a user a month or so ago, and am unable to get the system to recognize them. ... I reset the password a dozen times, even using a simple password like test, and it would still always report that the password was wrong. ... No problem, I added the user to that entry, and it stopped reporting that they were not in the file, but still reports that the user is invalid. ... I deleted the user, and recreated the user, but it still acts like the user does not exist for retrieving emails, sshd and ftp. ...
    (comp.unix.bsd.freebsd.misc)
  • Google report on click fraud
    ... The Lane's Gifts v. Google Report ... I have been asked to evaluate Google's invalid click detection efforts ... examined various internal documents, interviewed several Google's ... employees, have seen different demos of their invalid click inspection ...
    (comp.dcom.telecom)