Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 121661

Summary: www-apps/wordpress SQL Injection
Product: Gentoo Security Reporter: Patrik Karlsson <patrik>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: superlag
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Patrik Karlsson 2006-02-05 06:35:08 UTC
I found the latest stable version of Wordpress (1.5.2) vulnerable to SQL injection. The application is vulnerable as the user_agent HTTP header is not properly escaped when submitting a comment to an article.

In order to trigger the issue:
1. Add a ' into the user agent value of your browser alternatively use a proxy such as paros (http://www.parosproxy.org) to manipulate the HTTP header.
2. Add a new comment containing anything
3. The application will return an error message when trying to perform the INSERT INTO wp_comments.

The issue is not triggered if the comment needs to go through a moderator.

I have not contacted wordpress about this as the issue is not present in their latest stable version (2.0.1).
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-05 06:43:50 UTC
Aaron please advise.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-02-12 10:44:44 UTC
superlag: *bump*
Comment 3 Aaron Kulbe (RETIRED) gentoo-dev 2006-02-12 17:14:47 UTC
Removing version 1.5.2 from the tree, for SQL injection issue.  Bug #121661.  Marking 2.0.1 stable on AMD64 and x86.

All other arches, please mark stable.
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-12 17:45:32 UTC
please test and mark stable, thx
Comment 5 Jason Wever (RETIRED) gentoo-dev 2006-02-12 19:11:33 UTC
SPARC'd
Comment 6 Patrik Karlsson 2006-02-12 23:14:54 UTC
I contacted wordpress through their security@wordpress.org e-mail address the 6th of February but haven't heard anything. I sent a new mail today. I guess they don't care about vulnerabilities in their older versions. I don't know how many other distributions still ship with 1.5.2. 
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-15 10:50:35 UTC
ppc stable
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-02-16 12:48:37 UTC
Ready for GLSA vote
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-02-21 10:37:44 UTC
I vote yes.

Patrik, no response from Wordpress ? In thaht case I suppose we'll be free to release if you're OK with it...
Comment 10 Patrik Karlsson 2006-02-21 10:51:35 UTC
ah. Sorry should have notified you about my progress. I got in contact with Ryan Boren through security@wordpress.org and discussed the bug with him. His comments were:

"1.5.2 has several security bugs that are fixed by 2.0.x, including this one.  1.5.2 is pretty much unmaintained now.  We could patch this bug, but there would still be several bugs remaining unless we backport everything from 2.0.1.  We hadn't planned on backporting anything to 1.5.2."

So it's OK to release with me.
Comment 11 Aaron Kulbe (RETIRED) gentoo-dev 2006-02-21 15:08:20 UTC
HPPA still needs to mark it stable.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2006-02-22 09:58:47 UTC
Done by killerfox.
Security please vote on GLSA need before we open this bug.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-02-23 12:02:00 UTC
I vote yes.
Comment 14 Stefan Cornelius (RETIRED) gentoo-dev 2006-02-23 12:06:45 UTC
Tend to say yes here. Is there any public disclosure date set yet?
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2006-02-23 12:16:52 UTC
I guess we should feel free to release it anytime, they acked it and said they won't fix it in 1.5...
Comment 16 Aaron Kulbe (RETIRED) gentoo-dev 2006-02-23 13:41:54 UTC
So am I to take this as security's blessing to remove 1.5.2 from the tree, as well? or are there yet more hoops to jump through, and jigs to dance? :)
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2006-02-24 08:40:13 UTC
Removing old (insecure) versions is more the maintainer choice than a security requirement -- but feel free to do it :)

/me opens the bug now...
Comment 18 Aaron Kulbe (RETIRED) gentoo-dev 2006-02-25 09:21:17 UTC
Done.  1.5.2 has been removed from the tree.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2006-03-04 08:08:25 UTC
GLSA 200603-01
Thx everyone