Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 74649

Summary: www-apps/wordpress: Multiple XSS issues
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gentoo.3.ohthetrees, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://wordpress.org/development/2004/12/one-point-two-two/
Whiteboard: B4 [unmask] lewk
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Ebuild for v1.2.2 none

Description Luke Macken (RETIRED) gentoo-dev 2004-12-16 10:33:41 UTC 
Vendor : Wordpress
URL    : http://wordpress.org/
Version: Wordpress 1.2.1
Risk:  : XSS

* Description
WordPress is a state-of-the-art semantic personal
publishing platform with a focus on aesthetics, web
standards, and usability. [...]

Visit http://wordpress.org/ for detailed informations.

* Summary
After a quick reread of the wordpress source code I
was very disappointed about the improvements in the
new version 1.2.1 of wordpress. The developers did
not fix all flaws I mentioned in my last advisory
[1] and they did not improve the code of the files
in the administration panel. There were still a lot
of XSS vulnerabilities.

So I contaced the main developer again on October
28th and posted the notice about several security
flaws in their support forum to be sure the message
reaches the developers. On December 15th - yesterday
- they released a fixed version.

* Cross Site Scripting and similar flaws
The version 1.2.1 of wordpress was *more* vulnerable
than the 1.2 release cause of this new "feature"
in wp-login.php.

> // If someone has moved WordPress let's try to detect it
> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
!= get_settings('siteurl') )
>    update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .
$_SERVER['REQUEST_URI']) );

With an URI like

/wp-login.php?=">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&lt;/scrip
+gt;

an attacker was able to store arbitrary values in 
the global siteurl setting. 

Another issue was that an administrator or privileged
user was able to post messages, add new categories,
change profile values etc. with HTML code in it.

Still vulnerable in WP-1.2.1:
/wp-login.php?redirect_to=[XSS]
/wp-admin/bookmarklet.php?popupurl=[XSS]
/wp-admin/bookmarklet.php?content=[XSS]

XSS vulns they did not fix:
/wp-admin/edit-comments.php?s=[XSS]
/wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/link-add.php?linkurl=[XSS]
/wp-admin/link-add.php?name=[XSS]
/wp-admin/link-categories.php?cat_id=[XSS]&action=Edit
/wp-admin/link-manager.php?order_by=[XSS]
/wp-admin/link-manager.php?cat_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_url=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_name=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_description=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rel=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_image=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_notes=[XSS]
/wp-admin/link-manager.php?action=linkedit&link_id=[XSS]
/wp-admin/link-manager.php?action=linkedit&order_by=[XSS]
/wp-admin/link-manager.php?action=linkedit&cat_id=[XSS]
/wp-admin/post.php?content=[XSS]
/wp-admin/moderation.php?action=update&item_approved=[XSS]

SQL errors:
/index.php?m=bla
/wp-admin/edit.php?m=bla
/wp-admin/link-categories.php?cat_id=bla&action=Edit

* Solution
Upgrade to Worpress 1.2.2 [2]

* Credits
Thomas Waldegger

[1] http://www.securityfocus.com/archive/1/376766
[2] http://wordpress.org/development/2004/12/one-point-two-two/
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-16 10:34:48 UTC 
web-apps, please bump to 1.2.2
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-16 14:11:09 UTC 
This should probably be handled as an update for GLSA 200410-12 (same vulnerability which was not patched enough)
Comment 3 Peter Westwood 2004-12-17 00:59:51 UTC 
Created attachment 46195 [details]
Ebuild for v1.2.2

This is an ebuild for v1.2.2 - a straight copy of v1.2.1 expect for the
following:

Change in SRC_URI - v1.2.2 is not available from sf.net at the momement and
default link on from page is to latest.tar.gz - Talked to photomatt (the main
wordpress author on irc and he has made it so that latest-1.2.2.tar.gz will get
the right file)

Remove the patching of the login code which should be fixed in this version.

If anyone still has login problems they probably aught to check that they have
run the upgrade.php file as described here:
http://codex.wordpress.org/Upgrading
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2004-12-17 01:02:19 UTC 
I'll bump this package as soon as I get home from work this evening.

Best regards,
Stu
Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2004-12-18 13:38:07 UTC 
Hi,

Wordpress.org is unreachable atm, and the new release still hasn't turned up on SourceForge.  I'll keep an eye on wordpress.org, and bump this package once the server's back.

Best regards,
Stu
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-12-18 15:39:32 UTC 
Okay, wordpress 1.2.2 is in the tree, and marked stable on x86 and ppc.  

Needs marking stable on sparc, as sparc has just marked the (much older) 1.2-r1 ebuild as stable.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-12-18 16:30:38 UTC 
Stable on sparc.
Comment 8 Luke Macken (RETIRED) gentoo-dev 2004-12-18 16:45:51 UTC 
Ready for GLSA.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-12-19 05:47:37 UTC 
Please release this as an update to GLSA 200410-12, not a new GLSA.
Comment 10 Luke Macken (RETIRED) gentoo-dev 2004-12-19 14:02:59 UTC 
Released update to GLSA 200410-12.
Comment 11 Luke Macken (RETIRED) gentoo-dev 2004-12-21 18:09:36 UTC 
It looks like these vulnerabilities haven't been fixed yet:

     http://www.securityfocus.com/archive/1/385042/

Screw email, I'll bother the upstream on IRC ;)
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-10 01:40:32 UTC 
lewk: what's the status on this ?
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-01-10 05:41:56 UTC 
A couple of the devs confirmed this issue on IRC a few weeks ago, but I haven't heard anything recently.  I just sent an email upstream asking for more info.
Comment 14 Stuart Herbert (RETIRED) gentoo-dev 2005-01-10 10:52:15 UTC 
If UPSTREAM don't get their act together, I'm happy to drop support for wordpress on the grounds that they're just an ongoing security problem.

Best regards,
Stu
Comment 15 Luke Macken (RETIRED) gentoo-dev 2005-01-24 17:31:07 UTC 
I still haven't heard anything back from upstream.  Stuart, feel free to try and get ahold of them yourself, or you can do as you wish with this package.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 06:27:37 UTC 
Just paid a visit to #wordpress and found infowolfe there. Apparently this is all fixed in 1.5 nightlies, but no dev was around to tell us when it's due. infowolfe will try to make up a patch, with or without upstream dev help.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 07:04:27 UTC 
We should mask it until they get a 1.5 version.
Comment 18 Aaron Walker (RETIRED) gentoo-dev 2005-02-11 07:10:09 UTC 
In package.mask.
Comment 19 Stuart Herbert (RETIRED) gentoo-dev 2005-02-11 10:46:45 UTC 
Hi,

Anyone got a link that works for the current vulnerabilities?  The one posted doesn't work.

Thanks,
Stu
Comment 20 Stuart Herbert (RETIRED) gentoo-dev 2005-02-11 10:57:32 UTC 
http://www.securityfocus.com/bid/11984 looks like the correct link.

I've emailed the author.  Let's see what we hear back.

Best regards,
Stu
Comment 21 Stuart Herbert (RETIRED) gentoo-dev 2005-02-11 13:25:21 UTC 
I've spoken with the upstream author.  He asserts that Wordpress 1.2.2 is not vulnerable.

Anyone got an exploit that we can use to test this?

Best regards,
Stu
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 14:05:51 UTC 
From http://www.securityfocus.com/bid/12066/exploit/ :

Cross-site Scripting:
/wp-login.php?action=login&redirect_to=[XSS]
/wp-admin/templates.php?file=[XSS]
/wp-admin/post.php?content=[XSS]

SQL Injection:
/index.php?m=bla
/wp-admin/edit.php?m=bla
Comment 23 Stuart Herbert (RETIRED) gentoo-dev 2005-02-12 13:39:51 UTC 
Hrm.  I've had no luck reproducing those exploits against Wordpress 1.2.2.  Anyone else want to try?

Best regards,
Stu
Comment 24 Peter Westwood 2005-02-15 00:16:37 UTC 
v1.5 has been released see http://wordpress.org/download/

upgrading is not as simple as writing the new files over the top so we may need to point people to the upgrade guide as well

http://codex.wordpress.org/Upgrade_1.2_to_1.5
Comment 25 Stuart Herbert (RETIRED) gentoo-dev 2005-02-15 14:07:21 UTC 
Okay, I'll add this to Thursday's todo list.  Got an nxserver/freenx upgrade to do first tho.

Best regards,
Stu
Comment 26 Luke Macken (RETIRED) gentoo-dev 2005-02-23 19:07:12 UTC 
Stuart, any updates on this ?
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 03:13:27 UTC 
If the author says it's not affected and we can't reproduce, we should close this bug and unmask wordpress. Anyone else wants to try ?
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 01:40:03 UTC 
We should unmask >=1.2.2 since we can't reproduce and author says it's clean.
Comment 29 Aaron Walker (RETIRED) gentoo-dev 2005-03-02 03:39:58 UTC 
everything <1.2.2 has been removed from the tree; removed from p.mask.
Comment 30 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 05:17:41 UTC 
Considering this fixed as of GLSA 200410-12:02.
Please reopen if you can prove it's still vulnerable