Fedora Account System
Red Hat Associate
Red Hat Customer
WordPress 2.6.3 relies on the REQUEST superglobal array in certain dangerous situations, which makes it easier for remote attackers to conduct delayed and persistent cross-site request forgery (CSRF) attacks via crafted cookies, as demonstrated by attacks that (1) delete user accounts or (2) cause a denial of service (loss of application access). NOTE: this issue relies on the presence of an independent vulnerability that allows cookie injection. http://openwall.com/lists/oss-security/2008/11/14/1 http://bugs.debian.org/504771
Created wordpress tracking bugs for this issue CVE-2008-5113 Affects: F8 [bug #471990] CVE-2008-5113 Affects: F9 [bug #471991] CVE-2008-5113 Affects: Fdevel [bug #471992]
2.6.5 is available which seems to fix the security vulnerability http://wordpress.org/development/2008/11/wordpress-265/ They do not mention the CVE number as far as I see it but the changes to feed.php seems to change the behaviour concerning the REQUEST variable: http://trac.wordpress.org/changeset?old_path=tags%2F2.6.3&old=&new_path=tags%2F2.6.5&new=#file2 I will push updates for wordpress.
From this quick look at the 2.6.3 -> 2.6.5 changeset, I fail to see any change that may be possibly related to this issue. $_REQUEST still seems widely used in 2.6.5, feed.php is unlikely to be the only place to be affected. Please do not mention this bug/CVE in the 2.6.5 update request.
According to http://codex.wordpress.org/CVEs#2008 this only affected 2.6.3.