I found the latest stable version of Wordpress (1.5.2) vulnerable to SQL injection. The application is vulnerable as the user_agent HTTP header is not properly escaped when submitting a comment to an article.
In order to trigger the issue:
1. Add a ' into the user agent value of your browser alternatively use a proxy such as paros (http://www.parosproxy.org) to manipulate the HTTP header.
2. Add a new comment containing anything
3. The application will return an error message when trying to perform the INSERT INTO wp_comments.
The issue is not triggered if the comment needs to go through a moderator.
I have not contacted wordpress about this as the issue is not present in their latest stable version (2.0.1).
Aaron please advise.
Removing version 1.5.2 from the tree, for SQL injection issue. Bug #121661. Marking 2.0.1 stable on AMD64 and x86.
All other arches, please mark stable.
please test and mark stable, thx
I contacted wordpress through their firstname.lastname@example.org e-mail address the 6th of February but haven't heard anything. I sent a new mail today. I guess they don't care about vulnerabilities in their older versions. I don't know how many other distributions still ship with 1.5.2.
Ready for GLSA vote
I vote yes.
Patrik, no response from Wordpress ? In thaht case I suppose we'll be free to release if you're OK with it...
ah. Sorry should have notified you about my progress. I got in contact with Ryan Boren through email@example.com and discussed the bug with him. His comments were:
"1.5.2 has several security bugs that are fixed by 2.0.x, including this one. 1.5.2 is pretty much unmaintained now. We could patch this bug, but there would still be several bugs remaining unless we backport everything from 2.0.1. We hadn't planned on backporting anything to 1.5.2."
So it's OK to release with me.
HPPA still needs to mark it stable.
Done by killerfox.
Security please vote on GLSA need before we open this bug.
I vote yes.
Tend to say yes here. Is there any public disclosure date set yet?
I guess we should feel free to release it anytime, they acked it and said they won't fix it in 1.5...
So am I to take this as security's blessing to remove 1.5.2 from the tree, as well? or are there yet more hoops to jump through, and jigs to dance? :)
Removing old (insecure) versions is more the maintainer choice than a security requirement -- but feel free to do it :)
/me opens the bug now...
Done. 1.5.2 has been removed from the tree.