Vendor : Wordpress URL : http://wordpress.org/ Version : Wordpress 1.2 Risk : XSS Description: WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. [...] Go to http://wordpress.org/ for detailed information. Cross Site Scripting: wp-login.php: /wp-login.php?redirect_to=[XSS] /wp-login.php?mode=bookmarklet&text=[XSS] /wp-login.php?mode=bookmarklet&popupurl=[XSS] /wp-login.php?mode=bookmarklet&popuptitle=[XSS] Nearly every file in the administration panel of wordpress is vulnerable for XSS attacks. admin-header.php: /admin-header.php?redirect=1&redirect_url=%22;alert(document.cookie)// Nice bug. ;o) bookmarklet.php: /bookmarklet.php?popuptitle=[XSS] /bookmarklet.php?popupurl=[XSS] /bookmarklet.php?content=[XSS] /bookmarklet.php?post_title=[XSS] categories.php: /categories.php?action=edit&cat_ID=[XSS] edit.php: /edit.php?s=[XSS] edit-comments.php: /edit-comments.php?s=[XSS] /edit-comments.php?mode=[XSS] and so on ... Solution: There is not any solution yet. I contacted Matthew Mullenweg, one of the lead developers of wordpress, on Wednesday but I did not receive any answer until yet. Credits: Thomas Waldegger
I saw this on bugtraq, but I'm confused. Is he saying that if you visit, say, /wp-login.php?redirect_to=http://evilhacker.ru/wussy_IE_vulnerability.html, you'll end up going to this evil russian hacker's site and downloading a wussy IE vulnerability? All of these instances seem to be the same; the risk is only there if some administrator voluntarily visits that URL. I guess it means if you're a slashdot troll, you can post URLs that appear to be from one site and really are from another, but other than that I just don't see what the big deal here is. So unless I'm mistaken, I'd say this isn't much of a security bug (or at least deserves no GLSA).
Nah, it allows script injection, probably from inside the blog. Clearly XSS. WordPress acknowledged it at : http://wordpress.org/support/4/13818 They are getting a 1.2.1 version ready.
I'll keep an eye on upstream ;)
http://wordpress.org/development/2004/10/wp-121/ web-apps, please bump to 1.2.1
Created attachment 41262 [details] Ebuild for v1.2.1 I have updated the v1.2r1 ebuild for v1.2 Login problems should now be fixed so I have commented out the patch that was previously used. At the moment the line for the Post Install instructions is commented out too. I think that the ones from v1.2 should be fine though. I have this installed and running fine on my site - webapp-config upgraded my previous v1.2 install sucessfully.
Added to CVS. I still had to patch the login code in order to work locally, but at least the patch was much smaller this time. We need others to test the patch before we can mark this ebuild as stable. Best regards, Stu
archs, please mark stable.
Ebuild is borked as a patch appears to be missing; * Cannot find $EPATCH_SOURCE! Value for $EPATCH_SOURCE is: * * /usr/portage/www-apps/wordpress/files/1.2.1/login-patch.diff !!! ERROR: www-apps/wordpress-1.2.1 failed. !!! Function epatch, Line 262, Exitcode 0 !!! Cannot find $EPATCH_SOURCE!
back to ebuild status until it is fixed.
Stuart, please fix this patch issue.
Patch issue has been fixed - see bug 66863
Back to [stable] status... We only need ppc stable on this one. x86 and sparc are already set.
Koon, emerging it now on ppc, was waiting for the fix :-)
stable on ppc
Ready for a GLSA vote
with this amount of issues a GLSA should maybe be issued, although it's still mainly just XSS ___ just some more advisories about possible response splitting attack: http://wordpress.org/development/2004/10/wp-121/ At the same time we were responsibly notified of a related but separate problem in the code related to HTTP response splitting (PDF link) by
with this amount of issues a GLSA should maybe be issued, although it's still mainly just XSS ___ just some more advisories about possible response splitting attack: http://wordpress.org/development/2004/10/wp-121/ At the same time we were responsibly notified of a related but separate problem in the code related to HTTP response splitting (PDF link) by Chaotic Evil. http://www.securityfocus.com/archive/1/377770/2004-10-02/2004-10-08/0 http://securitytracker.com/id?1011592 http://secunia.com/advisories/12773/
GLSA there will be, then.
GLSA 200410-12