Debian Bug report logs -
#696868
wordpress: CVE-2012-5868: wp-login.php session termination failure
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#696868
; Package wordpress
.
(Fri, 28 Dec 2012 14:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Giuseppe Iuculano <iuculano@debian.org>
.
(Fri, 28 Dec 2012 14:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 3.4.2+dfsg-1
Severity: important
Tags: security
Overview: WordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.
CVSS Severity (version 2.0):
CVSS v2 Base Score:2.6 (LOW) (AV:N/AC:H/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 4.9
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: High
Authentication: Not required to exploit
Impact Type:Allows unauthorized disclosure of information
http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
Please email me in case you need my help.
- Henri Salo
Changed Bug title to 'wordpress: CVE-2012-5868: wp-login.php session termination failure' from 'wordpress: CVE-2012-5868: wordpress_sec session cookie security vulnerability'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Fri, 28 Dec 2012 14:51:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#696868
; Package wordpress
.
(Fri, 28 Dec 2012 14:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>
.
(Fri, 28 Dec 2012 14:57:07 GMT) (full text, mbox, link).
Message #12 received at 696868@bugs.debian.org (full text, mbox, reply):
Hello,
I read about vulnerability CVE-2012-5868[1], which is listed also in OSVDB[2]. Is this fixed in WordPress 3.5? I also created a bug-report for Debian issue tracker[3]. Is there a patch available to fix this issue?
1: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5868
2: http://osvdb.org/88611
3: http://bugs.debian.org/696868
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#696868
; Package wordpress
.
(Fri, 28 Dec 2012 17:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>
.
(Fri, 28 Dec 2012 17:42:05 GMT) (full text, mbox, link).
Message #17 received at 696868@bugs.debian.org (full text, mbox, reply):
On Fri, 28 Dec 2012, Henri Salo wrote:
> Please email me in case you need my help.
Does this apply to Wordpress 3.5 also ?
If yes, do you know of any patch ?
Where has this been submitted upstream ?
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#696868
; Package wordpress
.
(Fri, 28 Dec 2012 17:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>
.
(Fri, 28 Dec 2012 17:57:06 GMT) (full text, mbox, link).
Message #22 received at 696868@bugs.debian.org (full text, mbox, reply):
On Fri, Dec 28, 2012 at 06:39:20PM +0100, Raphael Hertzog wrote:
> Does this apply to Wordpress 3.5 also ?
Don't know yet. Trying to find out.
> If yes, do you know of any patch ?
Not yet.
> Where has this been submitted upstream ?
Don't know. I only have CVE and http://whiteoaksecurity.com/blog/2012/12/17/cve-2012-5868-wordpress-342-sessions-not-terminated-upon-explicit-user-logout
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#696868
; Package wordpress
.
(Fri, 01 Mar 2013 17:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>
.
(Fri, 01 Mar 2013 17:03:03 GMT) (full text, mbox, link).
Message #27 received at 696868@bugs.debian.org (full text, mbox, reply):
On Fri, Dec 28, 2012 at 07:52:50PM +0200, Henri Salo wrote:
> On Fri, Dec 28, 2012 at 06:39:20PM +0100, Raphael Hertzog wrote:
> > Does this apply to Wordpress 3.5 also ?
>
> Don't know yet. Trying to find out.
Did you hear anything?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#696868
; Package wordpress
.
(Tue, 05 Mar 2013 14:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>
.
(Tue, 05 Mar 2013 14:06:03 GMT) (full text, mbox, link).
Message #32 received at 696868@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Mar 01, 2013 at 06:02:06PM +0100, Moritz Mühlenhoff wrote:
> On Fri, Dec 28, 2012 at 07:52:50PM +0200, Henri Salo wrote:
> > On Fri, Dec 28, 2012 at 06:39:20PM +0100, Raphael Hertzog wrote:
> > > Does this apply to Wordpress 3.5 also ?
> >
> > Don't know yet. Trying to find out.
>
> Did you hear anything?
>
> Cheers,
> Moritz
Not yet. I can try to reproduce this manually.
--
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>
:
Bug#696868
; Package wordpress
.
(Sat, 09 Mar 2013 08:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>
.
(Sat, 09 Mar 2013 08:15:03 GMT) (full text, mbox, link).
Message #37 received at 696868@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Andrew Nacin nacin@ replied:
"""
WordPress does not have session management on the server-side. Currently:
* Cookies are only valid as long as they were originally designed to
expire. They may be replayed until they timeout.
* They are hashed so they cannot be used after their original intended
expiration.
* In general one should be using the WordPress admin over SSL if leaking a
cookie is a concern: http://codex.wordpress.org/Administration_Over_SSL.
WordPress takes sensible precautions with these cookies:
* When running over SSL WordPress ensures to set secure flag on cookies
* It sets the HTTPOnly flag so that they are not accessible by javascript
* It invalidates the cookies in the browser.
We are looking into some potential changes to our authentication system to
allow for explicit session termination, but do not have a timeline at this
time.
"""
So this is not yet fixed in upstream. How should we proceed?
--
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#696868
; Package wordpress
.
(Sun, 16 Feb 2014 07:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Craig Small <csmall@debian.org>
:
Extra info received and forwarded to list.
(Sun, 16 Feb 2014 07:12:04 GMT) (full text, mbox, link).
Message #42 received at 696868@bugs.debian.org (full text, mbox, reply):
I reported this bug in the wordpress forum and the reply from one of the
developers is at
http://wordpress.org/support/topic/old-bug-cve-2012-5868
- Craig
--
Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au
Debian GNU/Linux http://www.debian.org/ csmall at : debian.org
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
Added tag(s) upstream.
Request was from Craig Small <csmall@debian.org>
to control@bugs.debian.org
.
(Sun, 16 Feb 2014 07:12:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:01:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.