Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
WordPress is vulnerable to the attacks described in the pingback advisory. In testing, a single PC on a T1 connection was able to cripple two dual Xeon apache servers on separate 100Mb connection. This was accomplished by sending out multiple requests to server A specifying a sourceURI on server B that was a 1GB media file. This attack utilizes resources on server A and server B, but not the malicious users machine. Additionally, WordPress does not sanitize the sourceURI before passing it to wp_remote_fopen(); This makes it possible to specify non-HTTP resources to be read such as local files or ftp sources. In particular, a malicious user can determine whether certain files exist on the local file system. For example, the following request would help determine the version of Linux being used: <methodCall> <methodName>pingback.ping</methodName> <params> <param> <value><string>/etc/SuSE-release</string></value> </param> <param> <value><string>http://b.example.com/#p</string></value> </param> </params> </methodCall> If this file does not exist, fault 16 (source URI does not exist) will be returned and if it does exist it is likely that fault 17 (source URI does not contain a link to the target URI) will be returned. This works whether curl or the fopen() stream is used, only the uri has to be changed. This will not work if the webserver user can not read the file. If the administrator has allowed automatic pingbacks to show up as comments, it is possible for an attacker to have system information display in that comment. For instance, an attacker could request a url on the host with the following text in it: <title>example</title><a href="valid targetURI">text</a> If that showed up in the apache access_log or error_log, and the webserver user had permission to read that file the above XMLRPC request, after determining the OS, could specify the log as the sourceURI. This would cause some of the log file to be displayed as a comment. The session file for PHP would be a good target. Recommendations: Upgrade to Wordpress 2.1. The original recommendations made to the WordPress security team can be found below. Please note that Wordpress still does not check the content type, however the timeout has been set to 10 seconds and as such the impact of binary files is minimized. The local file issues can be resolved by ensuring that the URI scheme is HTTP. This also disallows other resources, such as ftp, from being read. In order to prevent overly large files from being retrieved, a reasonable timeout for curl and fopen should be set. Also, if content is missing a compatible Content-Type (such as text/xml) it should not be read as it can not be parsed. The attached patch is one possible solution to the issues described above. There are some more significant design problems, particularly with respect to pingback authentication. These are described in the pingback advisory and are not addressed here, as there has been no formal specification modification yet. Reproducible: Didn't try
I'm seriously considering masking wordpress until the security issues calm down. Three reports in three weeks do not a stable package make.
(In reply to comment #1) > I'm seriously considering masking wordpress until the security issues calm > down. Three reports in three weeks do not a stable package make. > I fully agree. What's your decision?
*** Bug 166680 has been marked as a duplicate of this bug. ***
+ http://www.securityfocus.com/bid/22534 thanks to Executioner for having reported it
(In reply to comment #4) > + http://www.securityfocus.com/bid/22534 thanks to Executioner for having > reported it > This is difficult to exploit but fix is now available in WordPress svn. http://trac.wordpress.org/changeset/4876 for 2.1 http://trac.wordpress.org/changeset/4877 for 2.0.7 2.0.9 (2.0.8 is already tagged but not released yet) and 2.1.1 should be released soon beta versions are available from http://wordpress.org/download/release-archive/
(In reply to comment #5) > (In reply to comment #4) > > + http://www.securityfocus.com/bid/22534 thanks to Executioner for having > > reported it > > > > This is difficult to exploit but fix is now available in WordPress svn. > http://trac.wordpress.org/changeset/4876 for 2.1 > http://trac.wordpress.org/changeset/4877 for 2.0.7 > > > 2.0.9 (2.0.8 is already tagged but not released yet) and 2.1.1 should be > released soon beta versions are available from > http://wordpress.org/download/release-archive/ > Thanks for the note, Peter. 2.0.8 added to CVS, needs to be marked stable on arches.
Thanks Steve, hi arches, please test and mark stable wordpress-2.0.8 please.
(In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #4) > > > + http://www.securityfocus.com/bid/22534 thanks to Executioner for having > > > reported it > > > > > > > This is difficult to exploit but fix is now available in WordPress svn. > > http://trac.wordpress.org/changeset/4876 for 2.1 > > http://trac.wordpress.org/changeset/4877 for 2.0.7 > > > > > > 2.0.9 (2.0.8 is already tagged but not released yet) and 2.1.1 should be > > released soon beta versions are available from > > http://wordpress.org/download/release-archive/ > > > > Thanks for the note, Peter. > > 2.0.8 added to CVS, needs to be marked stable on arches. > NB: 2.0.8 Doesn't fix the XSS issue - 2.0.9 will fix it.
(In reply to comment #8) > (In reply to comment #6) > > (In reply to comment #5) > > > (In reply to comment #4) > > > > + http://www.securityfocus.com/bid/22534 thanks to Executioner for having > > > > reported it > > > > > > > > > > This is difficult to exploit but fix is now available in WordPress svn. > > > http://trac.wordpress.org/changeset/4876 for 2.1 > > > http://trac.wordpress.org/changeset/4877 for 2.0.7 > > > > > > > > > 2.0.9 (2.0.8 is already tagged but not released yet) and 2.1.1 should be > > > released soon beta versions are available from > > > http://wordpress.org/download/release-archive/ > > > > > > > Thanks for the note, Peter. > > > > 2.0.8 added to CVS, needs to be marked stable on arches. > > > > NB: 2.0.8 Doesn't fix the XSS issue - 2.0.9 will fix it. > Crap. Well 2.1 is in the tree, but it's masked. Needs some testing, if someone wants to help there.
(In reply to comment #2) > (In reply to comment #1) > > I'm seriously considering masking wordpress until the security issues calm > > down. Three reports in three weeks do not a stable package make. > > > > I fully agree. What's your decision? > 2.0.9 is coming out pretty soon, as well as 2.1.1. I'm just going to sit on it for now, push those into the tree when they come out, and keep an eye on it. If it's still going to be a problem on a regular basis, then I'll mask it until they get things straightened out.
> > 2.0.9 is coming out pretty soon, as well as 2.1.1. I'm just going to sit on it > for now, push those into the tree when they come out, and keep an eye on it. > If it's still going to be a problem on a regular basis, then I'll mask it until > they get things straightened out. > OK
2.0.9 is in the tree, needs testing and stabling
*** Bug 167905 has been marked as a duplicate of this bug. ***
x86, wordpress-2.0.9 ebuild is working perfectly in my machine.
(In reply to comment #12) > 2.0.9 is in the tree, needs testing and stabling > adding arches to cc
Stable for HPPA.
SPARC stable
www-apps/wordpress-2.0.9 USE="-vhosts" 1. emerges on x86 2. passes collision test 3. works Portage 2.1.2-r9 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19.3 i686) ================================================================= System uname: 2.6.19.3 i686 AMD Athlon(TM) XP1800+ Gentoo Base System release 1.12.9 Timestamp of tree: Sat, 24 Feb 2007 11:00:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LANG="en_GB.utf8" LINGUAS="en de en_GB" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/normal" SYNC="rsync://192.168.2.1/gentoo-portage" USE="3dnow 3dnowext X a52 aac alsa apache2 berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups dbus divx4linux dri dts dvd dvdr dvdread eds emboss exif fam ffmpeg firefox fortran gdbm gif gnome gphoto2 gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde ldap libg++ mad midi mikmod mmx mmxext mono mp3 mpeg ncurses network nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl svg tcpd test tetex tiff truetype truetype-fonts type1-fonts unicode usb vcd vorbis win32codecs x86 xine xinerama xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LINGUAS="en de en_GB" USERLAND="GNU" VIDEO_CARDS="nv none" Unset: CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
x86 stable, thanks Markus.
emerges fine and works for me on amd64 Portage 2.1.2-r9 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-ck1 x86_64) ================================================================= System uname: 2.6.20-ck1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 26 Feb 2007 10:20:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO-8859-15" LC_ALL="en_US.ISO-8859-15" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dri dvd dvdr dvdread eds emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick ipod jpeg ldap libg++ lirc logrotate mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts unicode v4l v4l2 vim-with-x vorbis wmp xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="fglrx radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
amd64 stable
crap, there is another XSS just today, see bug 168449. calling for a vote on bug 168449
comment #4 is wrong. CVE-2007-0539 = SA23912 = bug 163817 = "pingback" information disclosure http://www.securityfocus.com/bid/22220 CVE-2007-1049 = SA24306 = bug 168449 = templates.php XSS http://www.securityfocus.com/bid/22534
ppc stable
Ive dropped stable keywords on wordpress.
OK Steeve, This bug is fixed in 2.0.9 but 2.0.9 is still vulnerable to bug 168449 and bug 168529. Since this bug is fixed and there is no stable ebuild, i close it. Feel free to reopen if you disagree. We'll vote on bug 168529 for a GLSA or no GLSA.
