Red Hat Bugzilla – Bug 471989
CVE-2008-5113 wordpress delayed attack via cookies
Last modified: 2010-12-23 21:13:00 EST
WordPress 2.6.3 relies on the REQUEST superglobal array in certain
dangerous situations, which makes it easier for remote attackers to
conduct delayed and persistent cross-site request forgery (CSRF)
attacks via crafted cookies, as demonstrated by attacks that (1)
delete user accounts or (2) cause a denial of service (loss of
application access). NOTE: this issue relies on the presence of an
independent vulnerability that allows cookie injection.
Created wordpress tracking bugs for this issue
CVE-2008-5113 Affects: F8 [bug #471990]
CVE-2008-5113 Affects: F9 [bug #471991]
CVE-2008-5113 Affects: Fdevel [bug #471992]
2.6.5 is available which seems to fix the security vulnerability
They do not mention the CVE number as far as I see it but the changes to feed.php
seems to change the behaviour concerning the REQUEST variable:
I will push updates for wordpress.
From this quick look at the 2.6.3 -> 2.6.5 changeset, I fail to see any change that may be possibly related to this issue. $_REQUEST still seems widely used in 2.6.5, feed.php is unlikely to be the only place to be affected. Please do not mention this bug/CVE in the 2.6.5 update request.
According to http://codex.wordpress.org/CVEs#2008 this only affected 2.6.3.