202779 – www-apps/wordpress < 2.3.2 Draft Information Disclosure

Bug 202779 - www-apps/wordpress < 2.3.2 Draft Information Disclosure

Summary: www-apps/wordpress < 2.3.2 Draft Information Disclosure

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/28130/
Whiteboard:	~4 [noglsa]
Keywords:

Duplicates (1):	204116 (view as bug list)
Depends on:
Blocks:

Reported:	2007-12-19 14:03 UTC by Lars Hartmann
Modified:	2008-01-15 14:30 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lars Hartmann 2007-12-19 14:03:41 UTC

Michael Brooks has discovered a vulnerability in WordPress, which can be exploited by malicious people to bypass certain security restrictions and to disclose sensitive information.

The application does not properly restrict access to posted drafts to users with valid administrator credentials. This can be exploited to read drafts by accessing the index.php script with data in the "PATH_INFO" URL part ending with "wp-admin/".

Examples:
http://[host]/[path]/index.php/wp-admin/
http://[host]/[path]/index.php/test-wp-admin/

The vulnerability is confirmed in version 2.3.1. Other versions may also be affected.

Solution:
Do not post sensitive information as drafts.

Reproducible: Always

Comment 1 Jakub Moc (RETIRED) gentoo-dev

2008-01-02 20:48:07 UTC

*** Bug 204116 has been marked as a duplicate of this bug. ***

Comment 2 Jakub Moc (RETIRED) gentoo-dev

2008-01-02 20:52:06 UTC

2.3.2 is out; 

On a side note - dunno folks, but we've had 4 security bugs in two months since this has been unmasked. I really feel that this code is plain hopeless to support security-wise and the ebuild should be re-masked again.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-01-05 00:28:33 UTC

(In reply to comment #2)
> On a side note - dunno folks, but we've had 4 security bugs in two months since
> this has been unmasked. I really feel that this code is plain hopeless to
> support security-wise and the ebuild should be re-masked again.

As long as upstream is actively handling vulnerabilities, I think it can stay ~arch with us ensuring fast bumps. What's the point in having this ebuild after all p.masked and security-rotting? Either maintain it (bumping-wise) or kick it.

Comment 4 Matt Summers (RETIRED) gentoo-dev

2008-01-05 16:48:53 UTC

I know many Gentoo users running this web app in a production environment.  Regardless of the number of flaws discovered Wordpress is under active development, and the vulnerabilities are fixed as fast as they can be.  I think dropping support would be a disservice to the Gentoo community as well as the OSS community at large.  On the other hand, masking it such that users know its a potential security risk is not a bad idea, certainly better than removing it from the tree.  Perhaps maintaining it ~ARCH keyworded and adding an einfo statement regarding the history of this software would be apropos as well.

Any luck on the new ebuild for 2.3.2?  I am willing to test the ebuild on amd64 (hardened and desktop) when its available if it might be of any assistance.

Many thanks,

Summers

Comment 5 Gunnar Wrobel (RETIRED) gentoo-dev

2008-01-08 06:32:09 UTC

I also feel that keeping it in unstable makes more sense than having it in an masked and unmaintained state. But I added a security warning so that people are able to note the problems we see with this app.

Added 2.3.2 to the tree. All archs unstable. Removed insecure versions. webapps done here.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-01-15 14:30:36 UTC

The issues fixed in 2.3.2 are unrelated to CVE-2008-0191.