Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 163817

Summary: www-apps/wordpress (versions < 2.0.9) File Enumeration CVE-2007-0541
Product: Gentoo Security Reporter: Executioner <keith>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: beandog, jesus.de.santos, sgtphou, tom, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.securiteam.com/unixfocus/5WP0L1FKAI.html
Whiteboard: B4 [noglsa] XSS and information leak
Package list:
Runtime testing required: ---

Description Executioner 2007-01-25 21:07:33 UTC 
WordPress is vulnerable to the attacks described in the pingback advisory. In testing, a single PC on a T1 connection was able to cripple two dual Xeon apache servers on separate 100Mb connection. This was accomplished by sending out multiple requests to server A specifying a sourceURI on server B that was a 1GB media file. This attack utilizes resources on server A and server B, but not the malicious users machine.

Additionally, WordPress does not sanitize the sourceURI before passing it to wp_remote_fopen(); This makes it possible to specify non-HTTP resources to be read such as local files or ftp sources. In particular, a malicious user can determine whether certain files exist on the local file system. For example, the following request would help determine the version of Linux being used:
    <methodCall>
        <methodName>pingback.ping</methodName>
        <params>
            <param>
                <value><string>/etc/SuSE-release</string></value>
            </param>
            <param>
                <value><string>http://b.example.com/#p</string></value>
            </param>
        </params>
    </methodCall>

If this file does not exist, fault 16 (source URI does not exist) will be returned and if it does exist it is likely that fault 17 (source URI does not contain a link to the target URI) will be returned. This works whether curl or the fopen() stream is used, only the uri has to be changed. This will not work if the webserver user can not read the file.

If the administrator has allowed automatic pingbacks to show up as comments, it is possible for an attacker to have system information display in that comment. For instance, an attacker could request a url on the host with the following text in it:
    <title>example</title><a href="valid targetURI">text</a>

If that showed up in the apache access_log or error_log, and the webserver user had permission to read that file the above XMLRPC request, after determining the OS, could specify the log as the sourceURI. This would cause some of the log file to be displayed as a comment. The session file for PHP would be a good target.

Recommendations:
Upgrade to Wordpress 2.1. The original recommendations made to the WordPress security team can be found below. Please note that Wordpress still does not check the content type, however the timeout has been set to 10 seconds and as such the impact of binary files is minimized.

The local file issues can be resolved by ensuring that the URI scheme is HTTP. This also disallows other resources, such as ftp, from being read. In order to prevent overly large files from being retrieved, a reasonable timeout for curl and fopen should be set. Also, if content is missing a compatible Content-Type (such as text/xml) it should not be read as it can not be parsed. The attached patch is one possible solution to the issues described above. There are some more significant design problems, particularly with respect to pingback authentication. These are described in the pingback advisory and are not addressed here, as there has been no formal specification modification yet.


Reproducible: Didn't try
Comment 1 Steve Dibb (RETIRED) gentoo-dev 2007-01-26 05:21:47 UTC 
I'm seriously considering masking wordpress until the security issues calm down.  Three reports in three weeks do not a stable package make.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 21:17:05 UTC 
(In reply to comment #1)
> I'm seriously considering masking wordpress until the security issues calm
> down.  Three reports in three weeks do not a stable package make.
> 

I fully agree. What's your decision?
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-13 23:28:34 UTC 
*** Bug 166680 has been marked as a duplicate of this bug. ***
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-13 23:29:55 UTC 
 + http://www.securityfocus.com/bid/22534 thanks to Executioner for having reported it
Comment 5 Peter Westwood 2007-02-14 09:40:52 UTC 
(In reply to comment #4)
>  + http://www.securityfocus.com/bid/22534 thanks to Executioner for having
> reported it
> 

This is difficult to exploit but fix is now available in WordPress svn.
http://trac.wordpress.org/changeset/4876 for 2.1
http://trac.wordpress.org/changeset/4877 for 2.0.7


2.0.9 (2.0.8 is already tagged but not released yet) and 2.1.1  should be released soon beta versions are available from http://wordpress.org/download/release-archive/
Comment 6 Steve Dibb (RETIRED) gentoo-dev 2007-02-14 14:15:18 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> >  + http://www.securityfocus.com/bid/22534 thanks to Executioner for having
> > reported it
> > 
> 
> This is difficult to exploit but fix is now available in WordPress svn.
> http://trac.wordpress.org/changeset/4876 for 2.1
> http://trac.wordpress.org/changeset/4877 for 2.0.7
> 
> 
> 2.0.9 (2.0.8 is already tagged but not released yet) and 2.1.1  should be
> released soon beta versions are available from
> http://wordpress.org/download/release-archive/
> 

Thanks for the note, Peter.

2.0.8 added to CVS, needs to be marked stable on arches.
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-14 15:27:14 UTC 
Thanks Steve,

hi arches, please test and mark stable wordpress-2.0.8 please.
Comment 8 Peter Westwood 2007-02-14 15:34:51 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > >  + http://www.securityfocus.com/bid/22534 thanks to Executioner for having
> > > reported it
> > > 
> > 
> > This is difficult to exploit but fix is now available in WordPress svn.
> > http://trac.wordpress.org/changeset/4876 for 2.1
> > http://trac.wordpress.org/changeset/4877 for 2.0.7
> > 
> > 
> > 2.0.9 (2.0.8 is already tagged but not released yet) and 2.1.1  should be
> > released soon beta versions are available from
> > http://wordpress.org/download/release-archive/
> > 
> 
> Thanks for the note, Peter.
> 
> 2.0.8 added to CVS, needs to be marked stable on arches.
> 

NB: 2.0.8 Doesn't fix the XSS issue - 2.0.9 will fix it.
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2007-02-14 15:38:11 UTC 
(In reply to comment #8)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > (In reply to comment #4)
> > > >  + http://www.securityfocus.com/bid/22534 thanks to Executioner for having
> > > > reported it
> > > > 
> > > 
> > > This is difficult to exploit but fix is now available in WordPress svn.
> > > http://trac.wordpress.org/changeset/4876 for 2.1
> > > http://trac.wordpress.org/changeset/4877 for 2.0.7
> > > 
> > > 
> > > 2.0.9 (2.0.8 is already tagged but not released yet) and 2.1.1  should be
> > > released soon beta versions are available from
> > > http://wordpress.org/download/release-archive/
> > > 
> > 
> > Thanks for the note, Peter.
> > 
> > 2.0.8 added to CVS, needs to be marked stable on arches.
> > 
> 
> NB: 2.0.8 Doesn't fix the XSS issue - 2.0.9 will fix it.
> 

Crap.  Well 2.1 is in the tree, but it's masked.  Needs some testing, if someone wants to help there.
Comment 10 Steve Dibb (RETIRED) gentoo-dev 2007-02-15 00:07:59 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > I'm seriously considering masking wordpress until the security issues calm
> > down.  Three reports in three weeks do not a stable package make.
> > 
> 
> I fully agree. What's your decision?
> 

2.0.9 is coming out pretty soon, as well as 2.1.1.  I'm just going to sit on it for now, push those into the tree when they come out, and keep an eye on it.  If it's still going to be a problem on a regular basis, then I'll mask it until they get things straightened out.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-17 22:56:56 UTC 
> 
> 2.0.9 is coming out pretty soon, as well as 2.1.1.  I'm just going to sit on it
> for now, push those into the tree when they come out, and keep an eye on it. 
> If it's still going to be a problem on a regular basis, then I'll mask it until
> they get things straightened out.
> 

OK
Comment 12 Steve Dibb (RETIRED) gentoo-dev 2007-02-21 15:09:35 UTC 
2.0.9 is in the tree, needs testing and stabling
Comment 13 Jakub Moc (RETIRED) gentoo-dev 2007-02-21 19:20:13 UTC 
*** Bug 167905 has been marked as a duplicate of this bug. ***
Comment 14 Jesus de Santos Garcia 2007-02-21 23:05:32 UTC 
x86,

wordpress-2.0.9 ebuild is working perfectly in my machine.
Comment 15 Steve Dibb (RETIRED) gentoo-dev 2007-02-23 15:21:17 UTC 
(In reply to comment #12)
> 2.0.9 is in the tree, needs testing and stabling
> 

adding arches to cc
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2007-02-23 23:29:22 UTC 
Stable for HPPA.
Comment 17 Jason Wever (RETIRED) gentoo-dev 2007-02-24 00:00:24 UTC 
SPARC stable
Comment 18 Markus Meier gentoo-dev 2007-02-24 12:12:13 UTC 
www-apps/wordpress-2.0.9  USE="-vhosts"
1. emerges on x86
2. passes collision test
3. works

Portage 2.1.2-r9 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.19.3 i686)
=================================================================
System uname: 2.6.19.3 i686 AMD Athlon(TM) XP1800+
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 24 Feb 2007 11:00:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="3dnow 3dnowext X a52 aac alsa apache2 berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups dbus divx4linux dri dts dvd dvdr dvdread eds emboss exif fam ffmpeg firefox fortran gdbm gif gnome gphoto2 gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde ldap libg++ mad midi mikmod mmx mmxext mono mp3 mpeg ncurses network nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl seamonkey session spell spl ssl svg tcpd test tetex tiff truetype truetype-fonts type1-fonts unicode usb vcd vorbis win32codecs x86 xine xinerama xml xorg xprint xv xvid zlib" ELIBC="glibc" INPUT_DEVICES="mouse keyboard" KERNEL="linux" LINGUAS="en de en_GB" USERLAND="GNU" VIDEO_CARDS="nv none"
Unset:  CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2007-02-24 18:54:59 UTC 
x86 stable, thanks Markus.
Comment 20 Christoph Mende (RETIRED) gentoo-dev 2007-02-26 13:45:40 UTC 
emerges fine and works for me on amd64

Portage 2.1.2-r9 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-ck1 x86_64)
=================================================================
System uname: 2.6.20-ck1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+
Gentoo Base System release 1.12.9
Timestamp of tree: Mon, 26 Feb 2007 10:20:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dri dvd dvdr dvdread eds emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick ipod jpeg ldap libg++ lirc logrotate mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts unicode v4l v4l2 vim-with-x vorbis wmp xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="fglrx radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
Comment 21 Steve Dibb (RETIRED) gentoo-dev 2007-02-26 16:44:46 UTC 
amd64 stable
Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-26 22:30:30 UTC 
crap, there is another XSS just today, see bug 168449.

calling for a vote on bug 168449
Comment 23 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-27 00:35:26 UTC 
comment #4 is wrong.

CVE-2007-0539 = SA23912 = bug 163817 = "pingback" information disclosure
http://www.securityfocus.com/bid/22220

CVE-2007-1049 = SA24306 = bug 168449 = templates.php XSS
http://www.securityfocus.com/bid/22534
Comment 24 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-27 18:48:02 UTC 
ppc stable
Comment 25 Steve Dibb (RETIRED) gentoo-dev 2007-02-28 15:35:23 UTC 
Ive dropped stable keywords on wordpress.
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-01 14:28:15 UTC 
OK Steeve,

This bug is fixed in 2.0.9 but 2.0.9 is still vulnerable to bug 168449 and bug 168529.

Since this bug is fixed and there is no stable ebuild, i close it. Feel free to reopen if you disagree. We'll vote on bug 168529 for a GLSA or no GLSA.