134397 2006-05-26 03:44 0000 www-apps/wordpress: code injection (CVE-2006-2667,CVE-2006-2702) 2006-06-09 14:17:33 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://retrogod.altervista.org/wordpress_202_xpl.html C1 [glsa] jaervosz P2 major --- 1 falco@gentoo.org security@gentoo.org superlag@gentoo.org web-apps@gentoo.org falco@gentoo.org 2006-05-26 03:44:31 0000 To be confirmed by a quick audit or a test (it's a bit tricky). The code is too long to be reasonnably pasted here; please see the URL http://retrogod.altervista.org/wordpress_202_xpl.html Finally, rgod manages to inject shell code, but it's hard to do, and it may depend on the configuration. peter.westwood@ftwr.co.uk 2006-05-26 04:11:43 0000 FYI AFAIK this won't work on a default install as the cache of db data is not enabled in 2.0.2 unless the user enables it. It would affect 2.0.1 though as it does have the cache enabled by default if i recall correctly (or that may have been 2.0) superlag@gentoo.org 2006-05-26 10:56:28 0000 And since 2.0.1 is no longer in the tree, this seems like a moot point. Security team, wouldn't you agree? I have verified, as Peter has already mentioned, the cache is not on, unless enabled by the user. peter.westwood@ftwr.co.uk 2006-05-26 14:39:58 0000 This is now patched upstream on the 2.0 branch for a future 2.0.3 release: http://trac.wordpress.org/changeset/3797 I don't know when the release is targetted for yet though. jaervosz@gentoo.org 2006-05-30 21:08:56 0000 It's still vulnerable, just not in default configuration hence the C rating above. Aaron would you prefer to extract patch from CVS or wait for the upstream release? peter.westwood@ftwr.co.uk 2006-06-01 02:04:28 0000 v2.0.3 is now released with the fix for this included. See: wordpress.org/development/2006/06/wordpress-203/ frilled@gentoo.org 2006-06-01 02:15:46 0000 BTW, it eludes me how we can have phpBB masked and this one in stable... jaervosz@gentoo.org 2006-06-01 09:34:27 0000 web-apps please bump. superlag@gentoo.org 2006-06-01 14:02:10 0000 Coming right up. I'll have it in the tree shortly. superlag@gentoo.org 2006-06-01 14:41:37 0000 Bumped. Marked stable on amd64. Yes, I'm on the arch team. :) Call in the cavalry. Let's have some keywording fun. falco@gentoo.org 2006-06-01 16:17:02 0000 Hi arches, you can go and stabilize wordpress-2.0.3 please falco@gentoo.org 2006-06-01 16:17:57 0000 amd64 already done, this is just for Koon's statistics tsunam@gentoo.org 2006-06-01 21:03:38 0000 x86 is done ^.^ dertobi123@gentoo.org 2006-06-01 22:03:23 0000 ppc stable gustavoz@gentoo.org 2006-06-02 06:44:34 0000 sparc stable. killerfox@gentoo.org 2006-06-03 02:45:30 0000 stable on hppa falco@gentoo.org 2006-06-03 05:32:16 0000 good, ready for GLSA wgi@muenster.de 2006-06-07 09:43:21 0000 Might be even A3 if the bundled version is affected, too. Quite some php apps use gd. wgi@muenster.de 2006-06-07 09:45:25 0000 Sorry, wrong bug from cache :( jaervosz@gentoo.org 2006-06-08 21:07:29 0000 Peter/Aaron is there any way for a site admin to globally enable/disable this feature? (As I can't seem to find it) peter.westwood@ftwr.co.uk 2006-06-09 02:39:09 0000 You don't/can't globally enable it for all installs. You enable it on an install by install basis in wp-config.php with: define('ENABLE_CACHE',True); You can force it off (although it is off by default) with: define('DISABLE_CACHE',True); falco@gentoo.org 2006-06-09 14:17:33 0000 GLSA 200606-08 , thanks everybody and particularly jaervosz.