168449 – www-apps/wordpress XSS vulnerability (CVE-2007-1049)

Bug 168449 - www-apps/wordpress XSS vulnerability (CVE-2007-1049)

Summary: www-apps/wordpress XSS vulnerability (CVE-2007-1049)

Status:	RESOLVED DUPLICATE of bug 168529

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	m68k Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/24306/
Whiteboard:	B4 [maskglsa] DerCorny
Keywords:

Depends on:
Blocks:

Reported:	2007-02-26 12:44 UTC by Pierre-Yves Rofes (RETIRED)
Modified:	2007-03-14 00:27 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-02-26 12:44:46 UTC

Input passed to the "file" parameter in wp-admin/templates.php (when
"action" is set to "update") is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of an affected
site.

Successful exploitation requires that the target user is logged in as
an administrator.

The vulnerability is confirmed in version 2.1. Prior versions may
also be affected.


Reproducible: Always

Steps to Reproduce:

Comment 1 Stefan Cornelius (RETIRED) gentoo-dev

2007-02-26 14:09:34 UTC

hi, given that >=2.1 is masked because it needs more testing and considering the long list of security bugs, i would like to mask the whole package. Comments?

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-26 22:30:51 UTC

I agree, and see bug 163817 which is harldy solved, there is already another XSS!

I'm sure Steve will agree too.

I vote for a GLSA since wordpress is rather common.

Comment 3 Steve Dibb (RETIRED) gentoo-dev

2007-02-26 22:40:42 UTC

The bug is probably already fixed in 2.1.1, which is in the tree.  If it's present in 2.0.9 as well, then I have no problems with masking the whole package.

Comment 4 Peter Westwood 2007-02-26 22:49:38 UTC

(In reply to comment #3)
> The bug is probably already fixed in 2.1.1, which is in the tree.  If it's
> present in 2.0.9 as well, then I have no problems with masking the whole
> package.
> 

This is what 2.1.1 and 2.0.9 were released to fix AFAIK.

And is already noted on bug 163817 See http://bugs.gentoo.org/show_bug.cgi?id=163817#c4

Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-27 00:36:04 UTC

(In reply to comment #4)

> And is already noted on bug 163817 See
> http://bugs.gentoo.org/show_bug.cgi?id=163817#c4
>  

we were wrong, that's not the same, sorry. Thank you for having pointed it out.

I've just looked into the diff between 2.0.7 2.0.8, and 2.0.9 and the only change in templates.php is between 2.0.9 and 2.1.
That's inconsistent with Secunia which says that 2.1 is affected and 2.1.1 is fixed. As for me, 2.0.9 is vulnerable and 2.1 is fixed, but i'm note sure.

CVE-2007-0539 = SA23912 = bug 163817 = "pingback" information disclosure
http://www.securityfocus.com/bid/22220

CVE-2007-1049 = SA24306 = bug 168449 = templates.php XSS
http://www.securityfocus.com/bid/22534

Comment 6 Stefan Cornelius (RETIRED) gentoo-dev

2007-02-27 15:11:37 UTC

and another one! bug #168529 ... mask?

Comment 7 Keith Constable 2007-03-03 17:05:07 UTC

I can say with certainty that this is fixed in 2.1.2.

Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-14 00:27:35 UTC


*** This bug has been marked as a duplicate of bug 168529 ***