WordPress 'wp-trackbacks.php' Multi-byte Encodincg Detection Lets Remote Users Execute Arbitrary Code
|
SecurityTracker Alert ID: 1023072 |
SecurityTracker URL: http://securitytracker.com/id/1023072
|
CVE Reference:
CVE-2009-3622
(Links to External Site)
|
Updated: Oct 28 2009
|
Original Entry Date: Oct 21 2009
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 2.8.5
|
Description:
A vulnerability was reported in WordPress. A remote user can cause denial of service conditions.
A remote user can send a specially crafted series of requests containing multibyte encodings to cause the target 'wp-trackbacks.php' script to consume excessive CPU resources.
This vulnerability is being actively exploited.
Systems that have trackbacks disabled are still affected.
Demonstration exploit code is available at:
http://rooibo.wordpress.com/2009/10/17/agujero-de-seguridad-en-wordpress/
Jose Carlos Norte reported this vulnerability.
|
Impact:
A remote user can cause excessive CPU consumption on the target system.
|
Solution:
The vendor has issued a fix (2.8.5).
The vendor's advisory is available at:
http://wordpress.org/development/2009/10/wordpress-2-8-5-hardening-release/
|
Vendor URL: wordpress.org/development/2009/10/wordpress-2-8-5-hardening-release/ (Links to External Site)
|
Cause:
Resource error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|