Info

Disclosure

May 25, 2006

Discovery

Unknown

Dates

Exploit

May 25, 2006

Solution

Unknown

Description

WordPress contains a flaw that may allow a malicious user to spoof their IP address. The issue is triggered when an attacker registers with a specially crafted request with the PC_REMOTE_ADDR HTTP header set. It is possible that the flaw may allow a remote attacker to bypass IP based access restrictions resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Upgrade to version 2.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

WordPress

2.0.2

References

CVE ID: 2006-2702 (see also: NVD)
Secunia Advisory ID: 20271 20608
Related OSVDB ID: 25777
ISS X-Force ID: 26688
VUPEN Advisory: ADV-2006-1992
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0538.html
Other Advisory URL: http://retrogod.altervista.org/wordpress_202_xpl.html
http://www.gentoo.org/security/en/glsa/glsa-200606-08.xml
Vendor URL: http://wordpress.org/

Credit

rgod - rgodautistici.org - http://retrogod.altervista.org

Direct URL: http://osvdb.org/25935