On Jun 22, 2006, at 3:08 PM, Doug Stewart wrote:
AFAICS, that vulnerability isn't a WordPress one, but rather a flaw in
Mark's Subscribe to Comments.
The flaw is a shared one. It isn't a flaw in my plugin alone, nor is
it a flaw in WordPress alone, it is a combined flaw, that enables
exploitation of a flaw that exists solely in WordPress versions 2.0,
2.0.1 and 2.0.2. That is, there was no security risk using my plugin
until WordPress 2.0 was released. Because of that, upgrading to
Subscribe to Comments 2.0.4 OR upgrading to WordPress 2.0.3 closes
the joint vulnerability (but you should upgrade WordPress to 2.0.3
anyway, because there are other security issues in 2.0.2).
Basically, I chose a certain md5 hash with a certain salt. 6-12
months later, WP 2.0 was released with a hash that was salted the
same way. If you registered a WP account with your user name as an e-
mail address, you could get the Subscribe to Comments hash to match
your WP user hash, and then know the location of your user cache
files. You could then use an input sanitization bug in WP to write
executable data to your user cache file, and you'd know where it was
located so you could run it.
Steven J. Murdoch, who wrote that article, contacted me almost a
month ago and relayed this information to me. I released Subscribe
to Comments 2.0.4  on May 28th, to protect people until WP 2.0.3
came out a few days later.
wp-hackers mailing list