Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 181513

Summary: WordPress 2.2 Subscriber exploit
Product: Gentoo Security Reporter: Trenton D. Adams <trenton.d.adams>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.rodtempleton.net/2007/05/30/sql-injection-vulnerability-in-wordpress-22/
Whiteboard:
Package list:
Runtime testing required: ---

Description Trenton D. Adams 2007-06-10 07:37:33 UTC 
It appears that WordPress 2.2 has another vulnerability.  It's easy to fix, and it requires an subscriber level account in WordPress in order to exploit.  See the URL.  For me, I'm installing php apps in a xen VM, so I don't have to worry about security as much.  But, for others this might be a real issue.

On a side note, I would appreciate wordpress remaining in the portage.  I know there was a discussion to remove it.  But, it's up to people to make sure their own systems are secure.  You could add a message after emerge, recommending that it be run inside of a VM only, and that regular backups are done, due to a long history of security vulnerabilities.  Just a thought. :)

Reproducible: Always

Steps to Reproduce:
See the URL
Comment 1 Trenton D. Adams 2007-06-10 07:39:17 UTC 
Oh, by the way, I just downloaded the most recent wordpress tar.gz, and it is NOT fixed in there.  So perhaps there should be a patch on the gentoo side?
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-10 07:47:15 UTC 

*** This bug has been marked as a duplicate of bug 181277 ***