[wp-hackers] PCI Compliance and Wordpress 2.9.2
Andrew Nacin
wp at andrewnacin.com
Wed May 19 20:18:45 UTC 2010
Hi Katrina, yes -- http://core.trac.wordpress.org/ticket/5487. As Brian
says, Security Metrics says "solution unknown at this time". Yes, at this
time, meaning January 2008 in WordPress 2.3.1.
On Wed, May 19, 2010 at 3:53 PM, Katrina Tustin <Katrina at jstreettech.com>wrote:
> Thanks Andrew. Unfortunately Security Metrics says different. Do you know
> where I could find documentation that would back up your statement so I
> could direct SM to it?
>
>
>
> Katrina Tustin
>
> J Street Technology, Inc.
>
> 425-869-0797 x 104
>
> www.JStreetTech.com
>
>
>
>
>
> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:
> wp-hackers-bounces at lists.automattic.com] On Behalf Of Andrew Nacin
> Sent: Wednesday, May 19, 2010 12:53 PM
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] PCI Compliance and Wordpress 2.9.2
>
>
>
> On Wed, May 19, 2010 at 3:23 PM, Katrina Tustin <Katrina at jstreettech.com
> >wrote:
>
>
>
> > I am hoping that someone can help us. We have an e-commerce site as well
>
> > as a WordPress blog. We have been unsuccessful in passing PCI compliance
>
> > due to a security issue with the blog. This is the error that is
> received
>
> > from Security Metrics. We are running 2.9.2. Any help would be
>
> > appreciated.
>
> >
>
> > Synopsis : The remote web server contains a PHP application that is
>
> > affected by an information disclosure issue. Description : The version of
>
> > WordPress on the remote host does not properly check for administrative
>
> > credentials in the 'is_admin()' function in 'wp-includes/query.php'.
> Using a
>
> > specially-crafted URL that contains the string 'wp-admin/', an attacker
> may
>
> > be able to leverage this issue to view posts for which the status is
>
> > classified as 'future', 'draft', or 'pending', which would otherwise be
>
> > available only to authenticated users. See also :
>
> > http://www.securityfocus.com/archive/1/4 85160/30/0/threaded<
>
> > http://www.securityfocus.com/archive/1/485160/30/0/threaded>
>
> > http://trac.wordpress.org/ticket/5487 Solution: Unknown at this time.
> Risk
>
> > Factor: Medium / CVSS Base Score : 4.3
> (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
>
> > BID : 26885 Other references : OSVDB:39518, Secunia:28130 [More]
>
> >
>
>
>
> Hi Katrina,
>
>
>
> The code cited in the vulnerability report is more than two years old and
>
> was changed in 2.3.2. is_admin() has nothing to do with administrative
>
> credentials, only whether we're in the administrative area. It is set by a
>
> constant defined in the admin.php bootstrap and no longer relies on the
> URL.
>
>
>
> The warning is thus outdated for any WordPress versions released since
>
> January 2008.
>
> _______________________________________________
>
> wp-hackers mailing list
>
> wp-hackers at lists.automattic.com
>
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list