mailing list archives
Re: CVE-request: WordPress SQL injection and arbitrary code injection (2003)
From: Henri Salo <henri () nerv fi>
Date: Fri, 6 Jan 2012 12:38:32 +0200
On Wed, Jan 04, 2012 at 02:27:58PM -0700, Kurt Seifried wrote:
On 01/03/2012 02:41 PM, Henri Salo wrote:
These two WordPress security vulnerabilities from 2003 are still without CVE-identifiers. I am requesting
CVE-identifiers as these issues have highly critical impact.
1) SQL injection
Please use CVE-2003-1598 for the WordPress 0.70
./wp-links/links.all.php SQL Injection
2) Arbitrary code injection
Please use CVE-2003-1599 for the WordPress 0.70 ./blog.header.php
Secunia advisory: http://secunia.com/advisories/8954/
- Henri Salo
-- Kurt Seifried / Red Hat Security Response Team
Thank you for the identifiers. Descriptions are switched.
4610 CVE-2003-1598 is about blog.header.php posts variable SQL injection
4611 CVE-2003-1599 is about links.all.php abspath variable RFI
OSVDB already added these to the advisories, but that can be easily fixed. In future I can add files affected and
correct parameters to these requests for clarity. Sorry for the confusion, but could you tell me which CVE should be
used for which vulnerability?
- Henri Salo