Information Exposure Affecting wordpress package, versions *
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-WORDPRESS-362679
- published 30 Jan 2012
- disclosed 30 Jan 2012
Introduced: 30 Jan 2012
CVE-2011-4898 Open this link in a new tabHow to fix?
There is no fixed version for Debian:unstable wordpress.
NVD Description
Note: Versions mentioned in the description apply only to the upstream wordpress package and not the wordpress package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective
References
- https://security-tracker.debian.org/tracker/CVE-2011-4898
- http://www.exploit-db.com/exploits/18417
- http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html
- https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2011-4898
- https://www.exploit-db.com/exploits/18417