Vulnerabilities > CVE-2009-3622 - Cryptographic Issues vulnerability in Wordpress

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL

Summary

Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8" substrings, related to the mb_convert_encoding function in PHP.

Vulnerable Configurations

Part Description Count
Application
Wordpress
164

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Seebug

bulletinFamilyexploit
descriptionCVE ID: CVE-2009-3622 WordPress是一款免费的论坛Blog系统。 WordPress的wp-trackback.php脚本允许用户向mb_convert_encoding()函数提交多个源字符编码。如果远程攻击者在提交的HTTP请求中包含有超长的标题参数和由多个逗号分隔的UTF-8子字符串所组成的字符集参数,就可以占用大量CPU资源。 WordPress < 2.8.5 厂商补丁: WordPress --------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://wordpress.org/development/2009/10/wordpress-2-8-5-hardening-release/
idSSV:12520
last seen2017-11-19
modified2009-10-27
published2009-10-27
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-12520
titleWordPress Trackback脚本拒绝服务漏洞