FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-4107

This CVE name corresponds to:

Entered Topic
2008-10-22 wordpress -- remote privilege escalation

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-4107 at cve.mitre.org

Details

Type Candidate
Name CVE-2008-4107
Phase Assigned(20080915)

Description

The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-2008-4102.

References

Source Reference
BUGTRAQ 20080911 Advisory 04/2008: Joomla Weak Random Password Reset Token Vulnerability
BUGTRAQ 20080911 Advisory 05/2008: Wordpress user_login Column SQL Truncation Vulnerability
MLIST [oss-security] 20080911 CVE request: wordpress < 2.6.2
MLIST [oss-security] 20080916 Re: CVE request: wordpress < 2.6.2
MISC http://www.sektioneins.de/advisories/SE-2008-02.txt
MISC http://www.sektioneins.de/advisories/SE-2008-04.txt
MISC http://www.sektioneins.de/advisories/SE-2008-05.txt
MISC http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
CONFIRM http://wordpress.org/development/2008/09/wordpress-262/
FEDORA FEDORA-2008-7760
FEDORA FEDORA-2008-7902
BID 31115
OSVDB 48700
VUPEN ADV-2008-2553
SECTRACK 1020869
SECUNIA 31737
SECUNIA 31870
SREASON 4271
XF php-rand-mtrand-weak-security(45956)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.