Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 159229 - www-apps/wordpress XSS and SQL injection (CVE-2006-6808 and CVE-2007-010(7|9))
Summary: www-apps/wordpress XSS and SQL injection (CVE-2006-6808 and CVE-2007-010(7|9))
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2006-12-27 10:33 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-01-16 23:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-27 10:33:16 UTC
Vulnerability Title: WordPress Persistent XSS 
 Author: David Kierznowski 
 Software Vendor: WordPress Persistent XSS 
 Versions affected: Confirmed in v2.0.5 (latest) 
See homepage for more details. 
WordPress was contacted: 26/12/06 22:04 BST 
 Reply received: 27/12/06 06:11 BST 
 WordPress has fixed this for v2.0.6, see
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-12-30 14:19:42 UTC

patch available see comment #1
Comment 2 Steve Dibb (RETIRED) gentoo-dev 2006-12-31 10:21:05 UTC
I have an updated ebuild ready to go, just need to talk to the team about the best way to upgrade, since I'm new to webapps.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-04 11:58:46 UTC
Any news on this one?
Comment 4 Steve Dibb (RETIRED) gentoo-dev 2007-01-04 12:17:19 UTC
Fixed in CVS, removed the vulnerable version.  -r1 is patched.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-04 13:02:24 UTC
Thanks Steve,

The new ebuild already contains all the taget arches (the patch was indeed trivial), jumping directly to [glsa?] status.

Security team, please vote.

I vote no-glsa.
Comment 6 Wolf Giesen (RETIRED) gentoo-dev 2007-01-04 22:00:47 UTC
Given it's nature as multi-blog provider I tend to vote YES.
Comment 7 Peter Westwood 2007-01-05 06:33:31 UTC
WordPress 2.0.6 has now been released which includes the patch - could probably bump to that before the GLSA?
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2007-01-05 09:07:59 UTC
(In reply to comment #7)
> WordPress 2.0.6 has now been released which includes the patch - could probably
> bump to that before the GLSA?

I would prefer that, given a little time to get the ebuild out.
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2007-01-05 09:20:46 UTC
Okay, same as before.  I removed 2.0.5-r1, and added 2.0.6.  The new tarball is on the local mirrors.  Should be good to go on my end. :)
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-05 14:47:47 UTC
I also tend to vote yes.

further issues:

* WordPress CSRF Protection XSS Vulnerability

* WordPress Trackback Charset Decoding SQL Injection Vulnerability
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-01-06 12:27:56 UTC
I tend to vote YES.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-08 10:45:38 UTC
before the voting never ends...

changing to a full yes, filing draft request
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2007-01-12 12:32:50 UTC
CVE-2007-0109 	wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks.

CVE-2007-0107 	WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-01-16 23:06:29 UTC
GLSA 200701-10, thanks to everybody