Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 168449
Alias:
Product:
Component:
Status: RESOLVED
Resolution: DUPLICATE of bug 168529
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Pierre-Yves Rofes <py@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 168449 depends on: Show dependency tree
Bug 168449 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-02-26 12:44 0000 
Input passed to the "file" parameter in wp-admin/templates.php (when
"action" is set to "update") is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected
site.

Successful exploitation requires that the target user is logged in as
an administrator.

The vulnerability is confirmed in version 2.1. Prior versions may
also be affected.


Reproducible: Always

Steps to Reproduce:

------- Comment #1 From Stefan Cornelius (RETIRED) 2007-02-26 14:09:34 0000 ------- 
hi, given that >=2.1 is masked because it needs more testing and considering
the long list of security bugs, i would like to mask the whole package.
Comments?

------- Comment #2 From Raphael Marichez 2007-02-26 22:30:51 0000 ------- 
I agree, and see bug 163817 which is harldy solved, there is already another
XSS!

I'm sure Steve will agree too.

I vote for a GLSA since wordpress is rather common.

------- Comment #3 From Steve Dibb 2007-02-26 22:40:42 0000 ------- 
The bug is probably already fixed in 2.1.1, which is in the tree.  If it's
present in 2.0.9 as well, then I have no problems with masking the whole
package.

------- Comment #4 From Peter Westwood 2007-02-26 22:49:38 0000 ------- 
(In reply to comment #3)
> The bug is probably already fixed in 2.1.1, which is in the tree.  If it's
> present in 2.0.9 as well, then I have no problems with masking the whole
> package.
> 

This is what 2.1.1 and 2.0.9 were released to fix AFAIK.

And is already noted on bug 163817 See
http://bugs.gentoo.org/show_bug.cgi?id=163817#c4

------- Comment #5 From Raphael Marichez 2007-02-27 00:36:04 0000 ------- 
(In reply to comment #4)

> And is already noted on bug 163817 See
> http://bugs.gentoo.org/show_bug.cgi?id=163817#c4
>  

we were wrong, that's not the same, sorry. Thank you for having pointed it out.

I've just looked into the diff between 2.0.7 2.0.8, and 2.0.9 and the only
change in templates.php is between 2.0.9 and 2.1.
That's inconsistent with Secunia which says that 2.1 is affected and 2.1.1 is
fixed. As for me, 2.0.9 is vulnerable and 2.1 is fixed, but i'm note sure.

CVE-2007-0539 = SA23912 = bug 163817 = "pingback" information disclosure
http://www.securityfocus.com/bid/22220

CVE-2007-1049 = SA24306 = bug 168449 = templates.php XSS
http://www.securityfocus.com/bid/22534

------- Comment #6 From Stefan Cornelius (RETIRED) 2007-02-27 15:11:37 0000 ------- 
and another one! bug #168529 ... mask?

------- Comment #7 From Keith Constable 2007-03-03 17:05:07 0000 ------- 
I can say with certainty that this is fixed in 2.1.2.

------- Comment #8 From Raphael Marichez 2007-03-14 00:27:35 0000 ------- 

*** This bug has been marked as a duplicate of bug 168529 ***
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug