|Summary:||www-apps/wordpress Multiple XSS issues.|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||B4 [glsa] lewk|
|Package list:||Runtime testing required:||---|
Description Sune Kloppenborg Jeppesen (RETIRED) 2004-09-29 04:59:42 UTC
Vendor : Wordpress URL : http://wordpress.org/ Version : Wordpress 1.2 Risk : XSS Description: WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. [...] Go to http://wordpress.org/ for detailed information. Cross Site Scripting: wp-login.php: /wp-login.php?redirect_to=[XSS] /wp-login.php?mode=bookmarklet&text=[XSS] /wp-login.php?mode=bookmarklet&popupurl=[XSS] /wp-login.php?mode=bookmarklet&popuptitle=[XSS] Nearly every file in the administration panel of wordpress is vulnerable for XSS attacks. admin-header.php: /admin-header.php?redirect=1&redirect_url=%22;alert(document.cookie)// Nice bug. ;o) bookmarklet.php: /bookmarklet.php?popuptitle=[XSS] /bookmarklet.php?popupurl=[XSS] /bookmarklet.php?content=[XSS] /bookmarklet.php?post_title=[XSS] categories.php: /categories.php?action=edit&cat_ID=[XSS] edit.php: /edit.php?s=[XSS] edit-comments.php: /edit-comments.php?s=[XSS] /edit-comments.php?mode=[XSS] and so on ... Solution: There is not any solution yet. I contacted Matthew Mullenweg, one of the lead developers of wordpress, on Wednesday but I did not receive any answer until yet. Credits: Thomas Waldegger
Comment 1 Dan Margolis (RETIRED) 2004-09-29 08:25:51 UTC
I saw this on bugtraq, but I'm confused. Is he saying that if you visit, say, /wp-login.php?redirect_to=http://evilhacker.ru/wussy_IE_vulnerability.html, you'll end up going to this evil russian hacker's site and downloading a wussy IE vulnerability? All of these instances seem to be the same; the risk is only there if some administrator voluntarily visits that URL. I guess it means if you're a slashdot troll, you can post URLs that appear to be from one site and really are from another, but other than that I just don't see what the big deal here is. So unless I'm mistaken, I'd say this isn't much of a security bug (or at least deserves no GLSA).
Comment 2 Thierry Carrez (RETIRED) 2004-09-29 11:40:45 UTC
Nah, it allows script injection, probably from inside the blog. Clearly XSS. WordPress acknowledged it at : http://wordpress.org/support/4/13818 They are getting a 1.2.1 version ready.
Comment 3 Luke Macken (RETIRED) 2004-10-01 13:09:45 UTC
I'll keep an eye on upstream ;)
Comment 4 Luke Macken (RETIRED) 2004-10-06 18:21:55 UTC
http://wordpress.org/development/2004/10/wp-121/ web-apps, please bump to 1.2.1
Comment 5 Peter Westwood 2004-10-07 00:53:18 UTC
Created attachment 41262 [details] Ebuild for v1.2.1 I have updated the v1.2r1 ebuild for v1.2 Login problems should now be fixed so I have commented out the patch that was previously used. At the moment the line for the Post Install instructions is commented out too. I think that the ones from v1.2 should be fine though. I have this installed and running fine on my site - webapp-config upgraded my previous v1.2 install sucessfully.
Comment 6 Stuart Herbert (RETIRED) 2004-10-08 13:21:14 UTC
Added to CVS. I still had to patch the login code in order to work locally, but at least the patch was much smaller this time. We need others to test the patch before we can mark this ebuild as stable. Best regards, Stu
Comment 7 Luke Macken (RETIRED) 2004-10-08 13:31:07 UTC
archs, please mark stable.
Comment 8 Jason Wever (RETIRED) 2004-10-08 16:34:14 UTC
Ebuild is borked as a patch appears to be missing; * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /usr/portage/www-apps/wordpress/files/1.2.1/login-patch.diff !!! ERROR: www-apps/wordpress-1.2.1 failed. !!! Function epatch, Line 262, Exitcode 0 !!! Cannot find $EPATCH_SOURCE!
Comment 9 Luke Macken (RETIRED) 2004-10-08 20:19:23 UTC
back to ebuild status until it is fixed.
Comment 10 Luke Macken (RETIRED) 2004-10-11 12:40:46 UTC
Stuart, please fix this patch issue.
Comment 12 Thierry Carrez (RETIRED) 2004-10-11 14:01:51 UTC
Back to [stable] status... We only need ppc stable on this one. x86 and sparc are already set.
Comment 13 Jochen Maes (RETIRED) 2004-10-11 23:30:06 UTC
Koon, emerging it now on ppc, was waiting for the fix :-)
Comment 14 Jochen Maes (RETIRED) 2004-10-11 23:57:32 UTC
stable on ppc
Comment 15 Thierry Carrez (RETIRED) 2004-10-12 01:46:33 UTC
Ready for a GLSA vote
Comment 16 Matthias Geerdsen (RETIRED) 2004-10-12 02:15:51 UTC
with this amount of issues a GLSA should maybe be issued, although it's still mainly just XSS ___ just some more advisories about possible response splitting attack: http://wordpress.org/development/2004/10/wp-121/ At the same time we were responsibly notified of a related but separate problem in the code related to HTTP response splitting (PDF link) by
Comment 17 Matthias Geerdsen (RETIRED) 2004-10-12 02:15:51 UTC
with this amount of issues a GLSA should maybe be issued, although it's still mainly just XSS ___ just some more advisories about possible response splitting attack: http://wordpress.org/development/2004/10/wp-121/ At the same time we were responsibly notified of a related but separate problem in the code related to HTTP response splitting (PDF link) by Chaotic Evil. http://www.securityfocus.com/archive/1/377770/2004-10-02/2004-10-08/0 http://securitytracker.com/id?1011592 http://secunia.com/advisories/12773/
Comment 18 Thierry Carrez (RETIRED) 2004-10-12 04:40:29 UTC
GLSA there will be, then.
Comment 19 Luke Macken (RETIRED) 2004-10-14 05:05:17 UTC