277317 – (CVE-2009-2334) <www-apps/wordpress-2.8.1 Multiple vulnerabilities (CVE-2009-{2334,2335,2336,2431,2432})

Bug 277317 (CVE-2009-2334) - <www-apps/wordpress-2.8.1 Multiple vulnerabilities (CVE-2009-{2334,2335,2336,2431,2432})

Summary: <www-apps/wordpress-2.8.1 Multiple vulnerabilities (CVE-2009-{2334,2335,2336,...

Status:	RESOLVED FIXED

Alias:	CVE-2009-2334

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:	http://wordpress.org/development/2009...
Whiteboard:	~3 [noglsa]
Keywords:

Duplicates (1):	277377 (view as bug list)
Depends on:
Blocks:

Reported:	2009-07-10 13:38 UTC by Alex Legler (RETIRED)
Modified:	2009-07-15 19:22 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2009-07-10 13:38:34 UTC

* Privileges Unchecked in admin.php?page= leading to Local File Includes
(CVE-2009-2334)

This can be used to disclose files in the wp-content/plugins folder, or open plugin configuration pages and change settings. (In conjunction with faulty plugins, XSS is possible as well, as shown in an example)

* Other information disclosures (CVE-2009-{2335, 2336}, not yet specifically assigned)
  - Login and forgotten password facilitate valid username enumeration
  - Usernames are only hidden inside HTML comments by default
  - Several installation path disclosures

Comment 1 Alex Legler (RETIRED) archtester

2009-07-10 13:41:53 UTC

The latter issues are not acknowledged by upstream and thus not fixed:

Username enumeration: 
"WordPress team asserts that password and username
discrimination as well as username leakage are known and will not be
fixed because they are convenient for the users." (orig. advisory)

Path disclosures:
Upstream suggests to disable the error_reporting setting in php.ini. (c.f. http://core.trac.wordpress.org/ticket/10367#comment:3)

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2009-07-10 23:23:51 UTC

*** Bug 277377 has been marked as a duplicate of this bug. ***

Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev

2009-07-10 23:33:41 UTC

2.8.1 is in CVS.

Comment 4 Stefan Behte (RETIRED) gentoo-dev

2009-07-10 23:35:04 UTC

CVE-2009-2335 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2335):
  WordPress and WordPress MU before 2.8.1 exhibit different behavior
  for a failed login attempt depending on whether the user account
  exists, which allows remote attackers to enumerate valid usernames. 
  NOTE: the vendor reportedly disputes the significance of this issue,
  indicating that the behavior exists for "user convenience."

CVE-2009-2336 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2336):
  The forgotten mail interface in WordPress and WordPress MU before
  2.8.1 exhibits different behavior for a password request depending on
  whether the user account exists, which allows remote attackers to
  enumerate valid usernames.  NOTE: the vendor reportedly disputes the
  significance of this issue, indicating that the behavior exists for
  "user convenience."

CVE-2009-2432 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2432):
  WordPress and WordPress MU before 2.8.1 allow remote attackers to
  obtain sensitive information via a direct request to wp-settings.php,
  which reveals the installation path in an error message.

Comment 5 Alex Legler (RETIRED) archtester

2009-07-15 19:22:01 UTC

CVE-2009-2431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2431):
  WordPress 2.7.1 places the username of a post's author in an HTML
  comment, which allows remote attackers to obtain sensitive
  information by reading the HTML source.