First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 121661
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Patrik Karlsson <patrik@cqure.net>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 121661 depends on: Show dependency tree
Bug 121661 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-05 06:35 0000 
I found the latest stable version of Wordpress (1.5.2) vulnerable to SQL
injection. The application is vulnerable as the user_agent HTTP header is not
properly escaped when submitting a comment to an article.

In order to trigger the issue:
1. Add a ' into the user agent value of your browser alternatively use a proxy
such as paros (http://www.parosproxy.org) to manipulate the HTTP header.
2. Add a new comment containing anything
3. The application will return an error message when trying to perform the
INSERT INTO wp_comments.

The issue is not triggered if the comment needs to go through a moderator.

I have not contacted wordpress about this as the issue is not present in their
latest stable version (2.0.1).

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-02-05 06:43:50 0000 ------- 
Aaron please advise.

------- Comment #2 From Thierry Carrez (RETIRED) 2006-02-12 10:44:44 0000 ------- 
superlag: *bump*

------- Comment #3 From Aaron Kulbe (RETIRED) 2006-02-12 17:14:47 0000 ------- 
Removing version 1.5.2 from the tree, for SQL injection issue.  Bug #121661. 
Marking 2.0.1 stable on AMD64 and x86.

All other arches, please mark stable.

------- Comment #4 From Stefan Cornelius (RETIRED) 2006-02-12 17:45:32 0000 ------- 
please test and mark stable, thx

------- Comment #5 From Jason Wever (RETIRED) 2006-02-12 19:11:33 0000 ------- 
SPARC'd

------- Comment #6 From Patrik Karlsson 2006-02-12 23:14:54 0000 ------- 
I contacted wordpress through their security@wordpress.org e-mail address the
6th of February but haven't heard anything. I sent a new mail today. I guess
they don't care about vulnerabilities in their older versions. I don't know how
many other distributions still ship with 1.5.2.

------- Comment #7 From Tobias Scherbaum 2006-02-15 10:50:35 0000 ------- 
ppc stable

------- Comment #8 From Thierry Carrez (RETIRED) 2006-02-16 12:48:37 0000 ------- 
Ready for GLSA vote

------- Comment #9 From Thierry Carrez (RETIRED) 2006-02-21 10:37:44 0000 ------- 
I vote yes.

Patrik, no response from Wordpress ? In thaht case I suppose we'll be free to
release if you're OK with it...

------- Comment #10 From Patrik Karlsson 2006-02-21 10:51:35 0000 ------- 
ah. Sorry should have notified you about my progress. I got in contact with
Ryan Boren through security@wordpress.org and discussed the bug with him. His
comments were:

"1.5.2 has several security bugs that are fixed by 2.0.x, including this one. 
1.5.2 is pretty much unmaintained now.  We could patch this bug, but there
would still be several bugs remaining unless we backport everything from 2.0.1.
 We hadn't planned on backporting anything to 1.5.2."

So it's OK to release with me.

------- Comment #11 From Aaron Kulbe (RETIRED) 2006-02-21 15:08:20 0000 ------- 
HPPA still needs to mark it stable.

------- Comment #12 From Thierry Carrez (RETIRED) 2006-02-22 09:58:47 0000 ------- 
Done by killerfox.
Security please vote on GLSA need before we open this bug.

------- Comment #13 From Thierry Carrez (RETIRED) 2006-02-23 12:02:00 0000 ------- 
I vote yes.

------- Comment #14 From Stefan Cornelius (RETIRED) 2006-02-23 12:06:45 0000 ------- 
Tend to say yes here. Is there any public disclosure date set yet?

------- Comment #15 From Thierry Carrez (RETIRED) 2006-02-23 12:16:52 0000 ------- 
I guess we should feel free to release it anytime, they acked it and said they
won't fix it in 1.5...

------- Comment #16 From Aaron Kulbe (RETIRED) 2006-02-23 13:41:54 0000 ------- 
So am I to take this as security's blessing to remove 1.5.2 from the tree, as
well? or are there yet more hoops to jump through, and jigs to dance? :)

------- Comment #17 From Thierry Carrez (RETIRED) 2006-02-24 08:40:13 0000 ------- 
Removing old (insecure) versions is more the maintainer choice than a security
requirement -- but feel free to do it :)

/me opens the bug now...

------- Comment #18 From Aaron Kulbe (RETIRED) 2006-02-25 09:21:17 0000 ------- 
Done.  1.5.2 has been removed from the tree.

------- Comment #19 From Thierry Carrez (RETIRED) 2006-03-04 08:08:25 0000 ------- 
GLSA 200603-01
Thx everyone
First Last Prev Next    No search results available      Search page      Enter new bug