Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 168449

Summary: www-apps/wordpress XSS vulnerability (CVE-2007-1049)
Product: Gentoo Security Reporter: Pierre-Yves Rofes (RETIRED) <py>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: beandog, kccricket, moixa, peter.westwood, security, sgtphou
Priority: High    
Version: unspecified   
Hardware: m68k   
OS: Linux   
URL: http://secunia.com/advisories/24306/
Whiteboard: B4 [maskglsa] DerCorny
Package list:
Runtime testing required: ---

Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-02-26 12:44:46 UTC 
Input passed to the "file" parameter in wp-admin/templates.php (when
"action" is set to "update") is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected
site.

Successful exploitation requires that the target user is logged in as
an administrator.

The vulnerability is confirmed in version 2.1. Prior versions may
also be affected.


Reproducible: Always

Steps to Reproduce:
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2007-02-26 14:09:34 UTC 
hi, given that >=2.1 is masked because it needs more testing and considering the long list of security bugs, i would like to mask the whole package. Comments?
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-26 22:30:51 UTC 
I agree, and see bug 163817 which is harldy solved, there is already another XSS!

I'm sure Steve will agree too.

I vote for a GLSA since wordpress is rather common.
Comment 3 Steve Dibb (RETIRED) gentoo-dev 2007-02-26 22:40:42 UTC 
The bug is probably already fixed in 2.1.1, which is in the tree.  If it's present in 2.0.9 as well, then I have no problems with masking the whole package.
Comment 4 Peter Westwood 2007-02-26 22:49:38 UTC 
(In reply to comment #3)
> The bug is probably already fixed in 2.1.1, which is in the tree.  If it's
> present in 2.0.9 as well, then I have no problems with masking the whole
> package.
> 

This is what 2.1.1 and 2.0.9 were released to fix AFAIK.

And is already noted on bug 163817 See http://bugs.gentoo.org/show_bug.cgi?id=163817#c4
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-27 00:36:04 UTC 
(In reply to comment #4)

> And is already noted on bug 163817 See
> http://bugs.gentoo.org/show_bug.cgi?id=163817#c4
>  

we were wrong, that's not the same, sorry. Thank you for having pointed it out.

I've just looked into the diff between 2.0.7 2.0.8, and 2.0.9 and the only change in templates.php is between 2.0.9 and 2.1.
That's inconsistent with Secunia which says that 2.1 is affected and 2.1.1 is fixed. As for me, 2.0.9 is vulnerable and 2.1 is fixed, but i'm note sure.

CVE-2007-0539 = SA23912 = bug 163817 = "pingback" information disclosure
http://www.securityfocus.com/bid/22220

CVE-2007-1049 = SA24306 = bug 168449 = templates.php XSS
http://www.securityfocus.com/bid/22534
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2007-02-27 15:11:37 UTC 
and another one! bug #168529 ... mask?
Comment 7 Keith Constable 2007-03-03 17:05:07 UTC 
I can say with certainty that this is fixed in 2.1.2.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 00:27:35 UTC 

*** This bug has been marked as a duplicate of bug 168529 ***