102002 – www-apps/wordpress: "cache_lastpostdate" PHP Code Insertion

Bug 102002 - www-apps/wordpress: "cache_lastpostdate" PHP Code Insertion

Summary: www-apps/wordpress: "cache_lastpostdate" PHP Code Insertion

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/16386/
Whiteboard:	C3? [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-08-10 09:34 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-08-21 06:31 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-08-10 09:34:18 UTC

Description:
kartoffelguru has discovered a vulnerability in WordPress, which can be 
exploited by malicious people to compromise a vulnerable system.

Input passed to the "cache_lastpostdate" parameter via cookies is not properly 
sanitised before being used. This can be exploited to inject arbitrary PHP 
script code.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 1.5.1.3. Other versions may 
also be affected.

Comment 1 Aaron Kulbe (RETIRED) gentoo-dev

2005-08-10 23:03:32 UTC

I'm aware of this.  I don't since if this merits being put into package.mask yet, since register_globals is off 
by default in Gentoo's implementation of PHP.

Upstream is aware of this and 1.5.2 is due in the next couple days, with patches.

Comment 2 Aaron Kulbe (RETIRED) gentoo-dev

2005-08-11 05:19:40 UTC

The joys of typing when you're dead tired... this post was *supposed* to say the following:

I'm aware of this.  I don't know if this merits being put into package.mask yet, since register_globals is off 
by default in Gentoo's implementation of PHP.

Upstream is aware of this and 1.5.2 is due in the next couple days, with patches.

Comment 3 Aaron Kulbe (RETIRED) gentoo-dev

2005-08-14 22:26:47 UTC

Bumped to version 1.5.2 - which fixes this issue.  Just committed, should be on the mirrors shortly.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-14 22:30:37 UTC

Thx Aaron. This one is ready for GLSA decision, I tend to vote NO.

Comment 5 Stefan Cornelius (RETIRED) gentoo-dev

2005-08-14 22:37:25 UTC

i tend to a no, too.

Comment 6 Aaron Kulbe (RETIRED) gentoo-dev

2005-08-14 23:48:34 UTC

Sorry guys.  Got trigger happy on the commit and didn't keyword ~ properly.  Fixed and recommitted.

Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-08-15 06:12:19 UTC

Stable on ppc.

Comment 8 Jason Wever (RETIRED) gentoo-dev

2005-08-15 19:27:19 UTC

Stable on SPARC.

Comment 9 Olivier Crete (RETIRED) gentoo-dev

2005-08-20 23:51:13 UTC

sorry for the delay... x86 there

Comment 10 Stefan Cornelius (RETIRED) gentoo-dev

2005-08-21 00:16:38 UTC

Ready for GLSA vote, 1/2 no from me.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-08-21 06:31:16 UTC

Add my full NO to this. register_globals is evil. Closing.