| Summary: | <www-apps/wordpress-3.5: Improper validation of session cookie (CVE-2012-5868) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | trivial | CC: | planet, radhermit, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ~4 [upstream+] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
GLSAMaker/CVETool Bot
2013-01-25 15:59:28 UTC
Debian contacted upstream and this was their response: """ WordPress does not have session management on the server-side. Currently: * Cookies are only valid as long as they were originally designed to expire. They may be replayed until they timeout. * They are hashed so they cannot be used after their original intended expiration. * In general one should be using the WordPress admin over SSL if leaking a cookie is a concern: http://codex.wordpress.org/Administration_Over_SSL. WordPress takes sensible precautions with these cookies: * When running over SSL WordPress ensures to set secure flag on cookies * It sets the HTTPOnly flag so that they are not accessible by javascript * It invalidates the cookies in the browser. We are looking into some potential changes to our authentication system to allow for explicit session termination, but do not have a timeline at this time. """ Upstream cannot fix the bug. What should be done next? With 3.8.5 being the latest version in Gentoo I vote for closing as obsolete. Package is no longer in tree. Closing. |
