[wp-trac] [WordPress Trac] #8814: Bad use of $_REQUEST variable in
wordpress
WordPress Trac
wp-trac at lists.automattic.com
Wed Jan 7 07:35:57 GMT 2009
#8814: Bad use of $_REQUEST variable in wordpress
--------------------------+-------------------------------------------------
Reporter: firstbit | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.8
Component: Security | Version:
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
As reported in CVE-2008-5113 (1) wordpress has many security issues
related to the bad use of $_REQUEST variable. Most of them ar related to
the possibility to overwrite $_POST and $_GET values with a simple cookie.
I uploaded a package with a working workaround in Debian but the problem
still exists and has not been solved. I think the only way to get rid of
the bug is to use $_POST, $_GET and $_COOKIES instead of merging them in a
single array.
Thank you very much for your help and work.
Regards.
Andrea De Iacovo
(1) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113
--
Ticket URL: <http://trac.wordpress.org/ticket/8814>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list