Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 121661 - www-apps/wordpress SQL Injection
Summary: www-apps/wordpress SQL Injection
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-02-05 06:35 UTC by Patrik Karlsson
Modified: 2006-03-04 08:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Patrik Karlsson 2006-02-05 06:35:08 UTC 
I found the latest stable version of Wordpress (1.5.2) vulnerable to SQL injection. The application is vulnerable as the user_agent HTTP header is not properly escaped when submitting a comment to an article.

In order to trigger the issue:
1. Add a ' into the user agent value of your browser alternatively use a proxy such as paros (http://www.parosproxy.org) to manipulate the HTTP header.
2. Add a new comment containing anything
3. The application will return an error message when trying to perform the INSERT INTO wp_comments.

The issue is not triggered if the comment needs to go through a moderator.

I have not contacted wordpress about this as the issue is not present in their latest stable version (2.0.1).
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-05 06:43:50 UTC 
Aaron please advise.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-02-12 10:44:44 UTC 
superlag: *bump*
Comment 3 Aaron Kulbe (RETIRED) gentoo-dev 2006-02-12 17:14:47 UTC 
Removing version 1.5.2 from the tree, for SQL injection issue.  Bug #121661.  Marking 2.0.1 stable on AMD64 and x86.

All other arches, please mark stable.
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-12 17:45:32 UTC 
please test and mark stable, thx
Comment 5 Jason Wever (RETIRED) gentoo-dev 2006-02-12 19:11:33 UTC 
SPARC'd
Comment 6 Patrik Karlsson 2006-02-12 23:14:54 UTC 
I contacted wordpress through their security@wordpress.org e-mail address the 6th of February but haven't heard anything. I sent a new mail today. I guess they don't care about vulnerabilities in their older versions. I don't know how many other distributions still ship with 1.5.2.
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-15 10:50:35 UTC 
ppc stable
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-02-16 12:48:37 UTC 
Ready for GLSA vote
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-02-21 10:37:44 UTC 
I vote yes.

Patrik, no response from Wordpress ? In thaht case I suppose we'll be free to release if you're OK with it...
Comment 10 Patrik Karlsson 2006-02-21 10:51:35 UTC 
ah. Sorry should have notified you about my progress. I got in contact with Ryan Boren through security@wordpress.org and discussed the bug with him. His comments were:

"1.5.2 has several security bugs that are fixed by 2.0.x, including this one.  1.5.2 is pretty much unmaintained now.  We could patch this bug, but there would still be several bugs remaining unless we backport everything from 2.0.1.  We hadn't planned on backporting anything to 1.5.2."

So it's OK to release with me.
Comment 11 Aaron Kulbe (RETIRED) gentoo-dev 2006-02-21 15:08:20 UTC 
HPPA still needs to mark it stable.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2006-02-22 09:58:47 UTC 
Done by killerfox.
Security please vote on GLSA need before we open this bug.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-02-23 12:02:00 UTC 
I vote yes.
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-23 12:06:45 UTC 
Tend to say yes here. Is there any public disclosure date set yet?
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-02-23 12:16:52 UTC 
I guess we should feel free to release it anytime, they acked it and said they won't fix it in 1.5...
Comment 16 Aaron Kulbe (RETIRED) gentoo-dev 2006-02-23 13:41:54 UTC 
So am I to take this as security's blessing to remove 1.5.2 from the tree, as well? or are there yet more hoops to jump through, and jigs to dance? :)
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2006-02-24 08:40:13 UTC 
Removing old (insecure) versions is more the maintainer choice than a security requirement -- but feel free to do it :)

/me opens the bug now...
Comment 18 Aaron Kulbe (RETIRED) gentoo-dev 2006-02-25 09:21:17 UTC 
Done.  1.5.2 has been removed from the tree.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2006-03-04 08:08:25 UTC 
GLSA 200603-01
Thx everyone