WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 9 years ago

#10735 closed defect (bug) (wontfix)

CVE-2008-6767 patch: Only admin can upgrade wordpress

Reported by: Derevko Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords:
Focuses: Cc:
PR Number:

Description

Hi,

with the trivial attached patch I fixed CVE-2008-6767 in wordpress debian package:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6767

Attachments (1)

009CVE2008-6767.patch (1.2 KB) - added by Derevko 10 years ago.
Only admin can upgrade wordpress. (CVE-2008-6767)

Download all attachments as: .zip

Change History (5)

@Derevko
10 years ago

Only admin can upgrade wordpress. (CVE-2008-6767)

#1 follow-up: @scribu
10 years ago

  • Keywords has-patch added
  • Milestone changed from Unassigned to 2.9

You should use 'administrator' instead of 'level_10'.

#2 in reply to: ↑ 1 @Derevko
10 years ago

Replying to scribu:

You should use 'administrator' instead of 'level_10'.

The original patch did have 'administrator', but a user point me the fact that sometimes the administrator default account could not exist or renamed for security hardening

#3 @ryan
10 years ago

  • Keywords has-patch removed
  • Milestone changed from 2.9 to Future Release

This will break the auto upgrade.

I doubt this will be addressed since its not much of a problem in practice. Postponing to a later release for future consideration.

#4 @dd32
9 years ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.