To be confirmed by a quick audit or a test (it's a bit tricky). The code is too long to be reasonnably pasted here; please see the URL http://retrogod.altervista.org/wordpress_202_xpl.html Finally, rgod manages to inject shell code, but it's hard to do, and it may depend on the configuration.
FYI AFAIK this won't work on a default install as the cache of db data is not enabled in 2.0.2 unless the user enables it. It would affect 2.0.1 though as it does have the cache enabled by default if i recall correctly (or that may have been 2.0)
And since 2.0.1 is no longer in the tree, this seems like a moot point. Security team, wouldn't you agree? I have verified, as Peter has already mentioned, the cache is not on, unless enabled by the user.
This is now patched upstream on the 2.0 branch for a future 2.0.3 release: http://trac.wordpress.org/changeset/3797 I don't know when the release is targetted for yet though.
It's still vulnerable, just not in default configuration hence the C rating above. Aaron would you prefer to extract patch from CVS or wait for the upstream release?
v2.0.3 is now released with the fix for this included. See: wordpress.org/development/2006/06/wordpress-203/
BTW, it eludes me how we can have phpBB masked and this one in stable...
web-apps please bump.
Coming right up. I'll have it in the tree shortly.
Bumped. Marked stable on amd64. Yes, I'm on the arch team. :) Call in the cavalry. Let's have some keywording fun.
Hi arches, you can go and stabilize wordpress-2.0.3 please
amd64 already done, this is just for Koon's statistics
x86 is done ^.^
ppc stable
sparc stable.
stable on hppa
good, ready for GLSA
Might be even A3 if the bundled version is affected, too. Quite some php apps use gd.
Sorry, wrong bug from cache :(
Peter/Aaron is there any way for a site admin to globally enable/disable this feature? (As I can't seem to find it)
You don't/can't globally enable it for all installs. You enable it on an install by install basis in wp-config.php with: define('ENABLE_CACHE',True); You can force it off (although it is off by default) with: define('DISABLE_CACHE',True);
GLSA 200606-08 , thanks everybody and particularly jaervosz.