|Summary:||www-apps/wordpress SQL Injection|
|Product:||Gentoo Security||Reporter:||Patrik Karlsson <patrik>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Patrik Karlsson 2006-02-05 06:35:08 UTC
I found the latest stable version of Wordpress (1.5.2) vulnerable to SQL injection. The application is vulnerable as the user_agent HTTP header is not properly escaped when submitting a comment to an article. In order to trigger the issue: 1. Add a ' into the user agent value of your browser alternatively use a proxy such as paros (http://www.parosproxy.org) to manipulate the HTTP header. 2. Add a new comment containing anything 3. The application will return an error message when trying to perform the INSERT INTO wp_comments. The issue is not triggered if the comment needs to go through a moderator. I have not contacted wordpress about this as the issue is not present in their latest stable version (2.0.1).
Comment 1 Sune Kloppenborg Jeppesen 2006-02-05 06:43:50 UTC
Aaron please advise.
Comment 2 Thierry Carrez (RETIRED) 2006-02-12 10:44:44 UTC
Comment 3 Aaron Kulbe (RETIRED) 2006-02-12 17:14:47 UTC
Removing version 1.5.2 from the tree, for SQL injection issue. Bug #121661. Marking 2.0.1 stable on AMD64 and x86. All other arches, please mark stable.
Comment 4 Stefan Cornelius (RETIRED) 2006-02-12 17:45:32 UTC
please test and mark stable, thx
Comment 5 Jason Wever (RETIRED) 2006-02-12 19:11:33 UTC
Comment 6 Patrik Karlsson 2006-02-12 23:14:54 UTC
I contacted wordpress through their firstname.lastname@example.org e-mail address the 6th of February but haven't heard anything. I sent a new mail today. I guess they don't care about vulnerabilities in their older versions. I don't know how many other distributions still ship with 1.5.2.
Comment 7 Tobias Scherbaum (RETIRED) 2006-02-15 10:50:35 UTC
Comment 8 Thierry Carrez (RETIRED) 2006-02-16 12:48:37 UTC
Ready for GLSA vote
Comment 9 Thierry Carrez (RETIRED) 2006-02-21 10:37:44 UTC
I vote yes. Patrik, no response from Wordpress ? In thaht case I suppose we'll be free to release if you're OK with it...
Comment 10 Patrik Karlsson 2006-02-21 10:51:35 UTC
ah. Sorry should have notified you about my progress. I got in contact with Ryan Boren through email@example.com and discussed the bug with him. His comments were: "1.5.2 has several security bugs that are fixed by 2.0.x, including this one. 1.5.2 is pretty much unmaintained now. We could patch this bug, but there would still be several bugs remaining unless we backport everything from 2.0.1. We hadn't planned on backporting anything to 1.5.2." So it's OK to release with me.
Comment 11 Aaron Kulbe (RETIRED) 2006-02-21 15:08:20 UTC
HPPA still needs to mark it stable.
Comment 12 Thierry Carrez (RETIRED) 2006-02-22 09:58:47 UTC
Done by killerfox. Security please vote on GLSA need before we open this bug.
Comment 13 Thierry Carrez (RETIRED) 2006-02-23 12:02:00 UTC
I vote yes.
Comment 14 Stefan Cornelius (RETIRED) 2006-02-23 12:06:45 UTC
Tend to say yes here. Is there any public disclosure date set yet?
Comment 15 Thierry Carrez (RETIRED) 2006-02-23 12:16:52 UTC
I guess we should feel free to release it anytime, they acked it and said they won't fix it in 1.5...
Comment 16 Aaron Kulbe (RETIRED) 2006-02-23 13:41:54 UTC
So am I to take this as security's blessing to remove 1.5.2 from the tree, as well? or are there yet more hoops to jump through, and jigs to dance? :)
Comment 17 Thierry Carrez (RETIRED) 2006-02-24 08:40:13 UTC
Removing old (insecure) versions is more the maintainer choice than a security requirement -- but feel free to do it :) /me opens the bug now...
Comment 18 Aaron Kulbe (RETIRED) 2006-02-25 09:21:17 UTC
Done. 1.5.2 has been removed from the tree.
Comment 19 Thierry Carrez (RETIRED) 2006-03-04 08:08:25 UTC
GLSA 200603-01 Thx everyone