Ubuntu
wordpress package

Remote users may reset the admin password (?)

Bug #412546 reported by Rolf Leggewie on 2009-08-12

260

This bug affects 1 person

Affects		Status	Importance	Assigned to
	wordpress (Debian)	Fix Released	Unknown	debbugs #541102
	wordpress (Ubuntu)	Fix Released	High	Unassigned
Nominated for Dapper by Rolf Leggewie
Nominated for Hardy by Rolf Leggewie
Nominated for Intrepid by Rolf Leggewie
Nominated for Jaunty by Rolf Leggewie
Nominated for Karmic by Rolf Leggewie

Bug Description

Binary package hint: wordpress

I just browsed the Debian BTS today and came across. http://bugs.debian.org/541102

I don't think vulnerability has been established yet, but I thought I'd report it here nonetheless to give you a chance to take a look.

According to the information in the original report on lists.grok.org.uk, all current Ubuntu releases of Wordpress would be affected.

http://lists.grok.org.uk/pipermail/full-disclosure/2009-August/070137.html
http://core.trac.wordpress.org/changeset/11798

Rolf Leggewie (r0lf) on 2009-08-12

visibility:

private → public

Bug Watch Updater (bug-watch-updater) on 2009-08-12

Changed in wordpress (Debian):
status:	Unknown → New

Marc Deslauriers (mdeslaur) on 2009-08-16

Changed in wordpress (Ubuntu):
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Giuseppe Iuculano (giuseppe-iuculano) wrote on 2009-08-17:

This was fixed in 2.8.3-2ubuntu1

Changed in wordpress (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Rolf Leggewie (r0lf) wrote on 2009-08-17:

Thank you, great!

Giuseppe, the way I understand it, this affects releases prior to Karmic, too, doesn't it?

Revision history for this message

Giuseppe Iuculano (giuseppe-iuculano) wrote on 2009-08-17: Re: [Bug 412546] Re: Remote users may reset the admin password (?)

Rolf Leggewie ha scritto:
> Thank you, great!
>
> Giuseppe, the way I understand it, this affects releases prior to
> Karmic, too, doesn't it?
>

Not really.
I wasn't able to reproduce this issue in 2.5.1-11 and 2.0.10-1, but I didn't
investigate the code because it really seems just an annoying bug, not a
security issue.

Cheers,
Giuseppe.

Revision history for this message

Rolf Leggewie (r0lf) wrote on 2009-08-17:

Giuseppe, thank you for doing some verification work. I skipped that for lack of time and was going purely by the description. Being able to remotely reset the admin password of a wordpress installation does sound pretty serious, even if limited in scope and not affecting the whole system.

Bug Watch Updater (bug-watch-updater) on 2011-08-11

Changed in wordpress (Debian):
status:	New → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #541102
[done important patch security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuwordpress package

Remote users may reset the admin password (?)

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
wordpress package