Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 65798 - www-apps/wordpress Multiple XSS issues.
Summary: www-apps/wordpress Multiple XSS issues.
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B4 [glsa] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-29 04:59 UTC by Sune Kloppenborg Jeppesen
Modified: 2011-10-30 22:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Ebuild for v1.2.1 (wordpress-1.2.1.ebuild,1.94 KB, text/plain)
2004-10-07 00:53 UTC, Peter Westwood
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2004-09-29 04:59:42 UTC
Vendor  : Wordpress
URL     : http://wordpress.org/
Version : Wordpress 1.2
Risk    : XSS

Description:
WordPress is a state-of-the-art semantic personal publishing platform with a focus
on aesthetics, web standards, and usability. [...]
Go to http://wordpress.org/ for detailed information.

Cross Site Scripting:
wp-login.php:
/wp-login.php?redirect_to=[XSS]
/wp-login.php?mode=bookmarklet&text=[XSS]
/wp-login.php?mode=bookmarklet&popupurl=[XSS]
/wp-login.php?mode=bookmarklet&popuptitle=[XSS]

Nearly every file in the administration panel of wordpress is vulnerable for XSS attacks.

admin-header.php:
/admin-header.php?redirect=1&redirect_url=%22;alert(document.cookie)//

Nice bug. ;o)

bookmarklet.php:
/bookmarklet.php?popuptitle=[XSS]
/bookmarklet.php?popupurl=[XSS]
/bookmarklet.php?content=[XSS]
/bookmarklet.php?post_title=[XSS]

categories.php:
/categories.php?action=edit&cat_ID=[XSS]

edit.php:
/edit.php?s=[XSS]

edit-comments.php:
/edit-comments.php?s=[XSS]
/edit-comments.php?mode=[XSS]

and so on ...

Solution:
There is not any solution yet. I contacted Matthew Mullenweg, one of the lead developers
of wordpress, on Wednesday but I did not receive any answer until yet.

Credits:
Thomas Waldegger
Comment 1 Dan Margolis (RETIRED) gentoo-dev 2004-09-29 08:25:51 UTC
I saw this on bugtraq, but I'm confused. Is he saying that if you visit, say, /wp-login.php?redirect_to=http://evilhacker.ru/wussy_IE_vulnerability.html, you'll end up going to this evil russian hacker's site and downloading a wussy IE vulnerability? 

All of these instances seem to be the same; the risk is only there if some administrator voluntarily visits that URL. I guess it means if you're a slashdot troll, you can post URLs that appear to be from one site and really are from another, but other than that I just don't see what the big deal here is. 

So unless I'm mistaken, I'd say this isn't much of a security bug (or at least deserves no GLSA). 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-09-29 11:40:45 UTC
Nah, it allows script injection, probably from inside the blog. Clearly XSS.

WordPress acknowledged it at : http://wordpress.org/support/4/13818
They are getting a 1.2.1 version ready.
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-10-01 13:09:45 UTC
I'll keep an eye on upstream ;)
Comment 4 Luke Macken (RETIRED) gentoo-dev 2004-10-06 18:21:55 UTC
http://wordpress.org/development/2004/10/wp-121/

web-apps, please bump to 1.2.1
Comment 5 Peter Westwood 2004-10-07 00:53:18 UTC
Created attachment 41262 [details]
Ebuild for v1.2.1

I have updated the v1.2r1 ebuild for v1.2
Login problems should now be fixed so I have commented out the patch that was
previously used.
At the moment the line for the Post Install instructions is commented out too.
I think that the ones from v1.2 should be fine though.

I have this installed and running fine on my site - webapp-config upgraded my
previous v1.2 install sucessfully.
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-10-08 13:21:14 UTC
Added to CVS.  I still had to patch the login code in order to work locally, but at least the patch was much smaller this time.  We need others to test the patch before we can mark this ebuild as stable.

Best regards,
Stu
Comment 7 Luke Macken (RETIRED) gentoo-dev 2004-10-08 13:31:07 UTC
archs, please mark stable.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2004-10-08 16:34:14 UTC
Ebuild is borked as a patch appears to be missing;

 * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
 *
 *   /usr/portage/www-apps/wordpress/files/1.2.1/login-patch.diff


!!! ERROR: www-apps/wordpress-1.2.1 failed.
!!! Function epatch, Line 262, Exitcode 0
!!! Cannot find $EPATCH_SOURCE!
Comment 9 Luke Macken (RETIRED) gentoo-dev 2004-10-08 20:19:23 UTC
back to ebuild status until it is fixed.
Comment 10 Luke Macken (RETIRED) gentoo-dev 2004-10-11 12:40:46 UTC
Stuart,

please fix this patch issue.
Comment 11 Peter Westwood 2004-10-11 13:20:38 UTC
Patch issue has been fixed - see bug 66863
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-10-11 14:01:51 UTC
Back to [stable] status... We only need ppc stable on this one. x86 and sparc are already set.
Comment 13 Jochen Maes (RETIRED) gentoo-dev 2004-10-11 23:30:06 UTC
Koon, 

emerging it now on ppc, was waiting for the fix :-)
Comment 14 Jochen Maes (RETIRED) gentoo-dev 2004-10-11 23:57:32 UTC
stable on ppc
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-10-12 01:46:33 UTC
Ready for a GLSA vote
Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-12 02:15:51 UTC
with this amount of issues a GLSA should maybe be issued, although it's still mainly just XSS

___

just some more advisories about possible response splitting attack:

http://wordpress.org/development/2004/10/wp-121/

At the same time we were responsibly notified of a related but separate problem in the code related to HTTP response splitting (PDF link) by 
Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-12 02:15:51 UTC
with this amount of issues a GLSA should maybe be issued, although it's still mainly just XSS

___

just some more advisories about possible response splitting attack:

http://wordpress.org/development/2004/10/wp-121/

At the same time we were responsibly notified of a related but separate problem in the code related to HTTP response splitting (PDF link) by Chaotic Evil.

http://www.securityfocus.com/archive/1/377770/2004-10-02/2004-10-08/0
http://securitytracker.com/id?1011592
http://secunia.com/advisories/12773/
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2004-10-12 04:40:29 UTC
GLSA there will be, then.
Comment 19 Luke Macken (RETIRED) gentoo-dev 2004-10-14 05:05:17 UTC
GLSA 200410-12