[Owasp-turkey] [Fwd: [netsec] WordPress Kritik Guvenlik Acigi]

Huzeyfe ONAL huzeyfe at lifeoverip.net
Thu May 24 03:33:03 EDT 2007




---------------------------- Original Message
----------------------------
Subject: [netsec] WordPress Kritik
Guvenlik Acigi
From:    "Huzeyfe ONAL"
<huzeyfe at lifeoverip.net>
Date:    Thu, May 24, 2007 10:29 am
To:      netsec at huzeyfe.net
--------------------------------------------------------------------------



WordPress 2.1.3  kullanicilarinin
dikkatine...

Bir iki gundur bloguma gelen web isteklerindeki
anormallikleri incelerken iki gun oncesine ait bir WP aciginin
kullanildigini kesfettim.

wp-admin/admin-ajax.php ve buna
bagli olan
scriptlerdeki  eksik kontroller yuzunden blogunuzun
/wp-admin kismina
erisebilen kotu niyetli birisi sistemdeki wp
kullanicilarina ait
plain md5 ciktilarini alabilir(kendi sistemimde
test ettim) ve
otesinde bunu kullanarak sisteme admin yetkileri
ile
baglanilabiliyor(mus)-test etmedim.

Cesitli
undergorund
sitelerde konu ile ilgili exploitler yayinlanmis durumda.


Aciktan korunma icin WP tarafindan cikarilan guncellemeler
(2.2)
gecilebilir 

Detayli Bilgi :
http://secunia.com/advisories/25345/



--
Huzeyfe ONAL
huzeyfe at lifeoverIP.net
http://www.lifeoverip.net

Ag guvenligi listesine uye
oldunuz
mu?
http://netsec.huzeyfe.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-turkey/attachments/20070524/51d68e39/attachment.html 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/owasp-turkey/attachments/20070524/51d68e39/attachment-0001.html 


More information about the Owasp-turkey mailing list