Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 134397 - www-apps/wordpress: code injection (CVE-2006-2667,CVE-2006-2702)
Summary: www-apps/wordpress: code injection (CVE-2006-2667,CVE-2006-2702)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://retrogod.altervista.org/wordpr...
Whiteboard: C1 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-26 03:44 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-06-09 14:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-26 03:44:31 UTC
To be confirmed by a quick audit or a test (it's a bit tricky).

The code is too long to be reasonnably pasted here; please see the URL http://retrogod.altervista.org/wordpress_202_xpl.html

Finally, rgod manages to inject shell code, but it's hard to do, and it may depend on the configuration.
Comment 1 Peter Westwood 2006-05-26 04:11:43 UTC
FYI AFAIK this won't work on a default install as the cache of db data is not enabled in 2.0.2 unless the user enables it.

It would affect 2.0.1 though as it does have the cache enabled by default if i recall correctly (or that may have been 2.0)
Comment 2 Aaron Kulbe (RETIRED) gentoo-dev 2006-05-26 10:56:28 UTC
And since 2.0.1 is no longer in the tree, this seems like a moot point.  Security team, wouldn't you agree?

I have verified, as Peter has already mentioned, the cache is not on, unless enabled by the user.
Comment 3 Peter Westwood 2006-05-26 14:39:58 UTC
This is now patched upstream on the 2.0 branch for a future 2.0.3 release:

http://trac.wordpress.org/changeset/3797

I don't know when the release is targetted for yet though.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-05-30 21:08:56 UTC
It's still vulnerable, just not in default configuration hence the C rating above.

Aaron would you prefer to extract patch from CVS or wait for the upstream release?
Comment 5 Peter Westwood 2006-06-01 02:04:28 UTC
v2.0.3 is now released with the fix for this included.

See: wordpress.org/development/2006/06/wordpress-203/ 
Comment 6 Wolf Giesen (RETIRED) gentoo-dev 2006-06-01 02:15:46 UTC
BTW, it eludes me how we can have phpBB masked and this one in stable...
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-01 09:34:27 UTC
web-apps please bump.
Comment 8 Aaron Kulbe (RETIRED) gentoo-dev 2006-06-01 14:02:10 UTC
Coming right up.  I'll have it in the tree shortly.
Comment 9 Aaron Kulbe (RETIRED) gentoo-dev 2006-06-01 14:41:37 UTC
Bumped. Marked stable on amd64.  Yes, I'm on the arch team. :)

Call in the cavalry.  Let's have some keywording fun.
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-01 16:17:02 UTC
Hi arches,

you can go and stabilize wordpress-2.0.3 please
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-01 16:17:57 UTC
amd64 already done, this is just for Koon's statistics
Comment 12 Joshua Jackson (RETIRED) gentoo-dev 2006-06-01 21:03:38 UTC
x86 is done

^.^
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-01 22:03:23 UTC
ppc stable
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-02 06:44:34 UTC
sparc stable.
Comment 15 René Nussbaumer (RETIRED) gentoo-dev 2006-06-03 02:45:30 UTC
stable on hppa
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-03 05:32:16 UTC
good, ready for GLSA
Comment 17 frilled 2006-06-07 09:43:21 UTC
Might be even A3 if the bundled version is affected, too. Quite some php apps use gd.
Comment 18 frilled 2006-06-07 09:45:25 UTC
Sorry, wrong bug from cache :(
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2006-06-08 21:07:29 UTC
Peter/Aaron is there any way for a site admin to globally enable/disable this feature? (As I can't seem to find it)
Comment 20 Peter Westwood 2006-06-09 02:39:09 UTC
You don't/can't globally enable it for all installs.

You enable it on an install by install basis in wp-config.php with:

define('ENABLE_CACHE',True);

You can force it off (although it is off by default) with:

define('DISABLE_CACHE',True);
Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-09 14:17:33 UTC
GLSA 200606-08 , thanks everybody and particularly jaervosz.