Bad use of $_REQUEST variable in wordpress
|Reported by:||firstbit||Owned by:||ryan|
|Component:||Security||Keywords:||has-patch tested commit dev-feedback|
As reported in CVE-2008-5113 (1) wordpress has many security issues related to the bad use of $_REQUEST variable. Most of them ar related to the possibility to overwrite $_POST and $_GET values with a simple cookie.
I uploaded a package with a working workaround in Debian but the problem still exists and has not been solved. I think the only way to get rid of the bug is to use $_POST, $_GET and $_COOKIES instead of merging them in a single array.
Thank you very much for your help and work.
Andrea De Iacovo
Change History (19)
- Keywords needs-patch dev-feedback added
- Priority changed from high to normal
- Version set to 2.8
- Keywords has-patch needs-testing added; needs-patch removed