Vendor : Wordpress URL : http://wordpress.org/ Version: Wordpress 1.2.1 Risk: : XSS * Description WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. [...] Visit http://wordpress.org/ for detailed informations. * Summary After a quick reread of the wordpress source code I was very disappointed about the improvements in the new version 1.2.1 of wordpress. The developers did not fix all flaws I mentioned in my last advisory [1] and they did not improve the code of the files in the administration panel. There were still a lot of XSS vulnerabilities. So I contaced the main developer again on October 28th and posted the notice about several security flaws in their support forum to be sure the message reaches the developers. On December 15th - yesterday - they released a fixed version. * Cross Site Scripting and similar flaws The version 1.2.1 of wordpress was *more* vulnerable than the 1.2 release cause of this new "feature" in wp-login.php. > // If someone has moved WordPress let's try to detect it > if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) != get_settings('siteurl') ) > update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']) ); With an URI like /wp-login.php?="><script>alert(document.cookie)</script></scrip +gt; an attacker was able to store arbitrary values in the global siteurl setting. Another issue was that an administrator or privileged user was able to post messages, add new categories, change profile values etc. with HTML code in it. Still vulnerable in WP-1.2.1: /wp-login.php?redirect_to=[XSS] /wp-admin/bookmarklet.php?popupurl=[XSS] /wp-admin/bookmarklet.php?content=[XSS] XSS vulns they did not fix: /wp-admin/edit-comments.php?s=[XSS] /wp-admin/edit-comments.php?s=bla&submit=Search&mode=[XSS] /wp-admin/templates.php?file=[XSS] /wp-admin/link-add.php?linkurl=[XSS] /wp-admin/link-add.php?name=[XSS] /wp-admin/link-categories.php?cat_id=[XSS]&action=Edit /wp-admin/link-manager.php?order_by=[XSS] /wp-admin/link-manager.php?cat_id=[XSS] /wp-admin/link-manager.php?action=linkedit&link_url=[XSS] /wp-admin/link-manager.php?action=linkedit&link_name=[XSS] /wp-admin/link-manager.php?action=linkedit&link_description=[XSS] /wp-admin/link-manager.php?action=linkedit&link_rel=[XSS] /wp-admin/link-manager.php?action=linkedit&link_image=[XSS] /wp-admin/link-manager.php?action=linkedit&link_rss_uri=[XSS] /wp-admin/link-manager.php?action=linkedit&link_notes=[XSS] /wp-admin/link-manager.php?action=linkedit&link_id=[XSS] /wp-admin/link-manager.php?action=linkedit&order_by=[XSS] /wp-admin/link-manager.php?action=linkedit&cat_id=[XSS] /wp-admin/post.php?content=[XSS] /wp-admin/moderation.php?action=update&item_approved=[XSS] SQL errors: /index.php?m=bla /wp-admin/edit.php?m=bla /wp-admin/link-categories.php?cat_id=bla&action=Edit * Solution Upgrade to Worpress 1.2.2 [2] * Credits Thomas Waldegger [1] http://www.securityfocus.com/archive/1/376766 [2] http://wordpress.org/development/2004/12/one-point-two-two/
web-apps, please bump to 1.2.2
This should probably be handled as an update for GLSA 200410-12 (same vulnerability which was not patched enough)
Created attachment 46195 [details] Ebuild for v1.2.2 This is an ebuild for v1.2.2 - a straight copy of v1.2.1 expect for the following: Change in SRC_URI - v1.2.2 is not available from sf.net at the momement and default link on from page is to latest.tar.gz - Talked to photomatt (the main wordpress author on irc and he has made it so that latest-1.2.2.tar.gz will get the right file) Remove the patching of the login code which should be fixed in this version. If anyone still has login problems they probably aught to check that they have run the upgrade.php file as described here: http://codex.wordpress.org/Upgrading
I'll bump this package as soon as I get home from work this evening. Best regards, Stu
Hi, Wordpress.org is unreachable atm, and the new release still hasn't turned up on SourceForge. I'll keep an eye on wordpress.org, and bump this package once the server's back. Best regards, Stu
Okay, wordpress 1.2.2 is in the tree, and marked stable on x86 and ppc. Needs marking stable on sparc, as sparc has just marked the (much older) 1.2-r1 ebuild as stable.
Stable on sparc.
Ready for GLSA.
Please release this as an update to GLSA 200410-12, not a new GLSA.
Released update to GLSA 200410-12.
It looks like these vulnerabilities haven't been fixed yet: http://www.securityfocus.com/archive/1/385042/ Screw email, I'll bother the upstream on IRC ;)
lewk: what's the status on this ?
A couple of the devs confirmed this issue on IRC a few weeks ago, but I haven't heard anything recently. I just sent an email upstream asking for more info.
If UPSTREAM don't get their act together, I'm happy to drop support for wordpress on the grounds that they're just an ongoing security problem. Best regards, Stu
I still haven't heard anything back from upstream. Stuart, feel free to try and get ahold of them yourself, or you can do as you wish with this package.
Just paid a visit to #wordpress and found infowolfe there. Apparently this is all fixed in 1.5 nightlies, but no dev was around to tell us when it's due. infowolfe will try to make up a patch, with or without upstream dev help.
We should mask it until they get a 1.5 version.
In package.mask.
Hi, Anyone got a link that works for the current vulnerabilities? The one posted doesn't work. Thanks, Stu
http://www.securityfocus.com/bid/11984 looks like the correct link. I've emailed the author. Let's see what we hear back. Best regards, Stu
I've spoken with the upstream author. He asserts that Wordpress 1.2.2 is not vulnerable. Anyone got an exploit that we can use to test this? Best regards, Stu
From http://www.securityfocus.com/bid/12066/exploit/ : Cross-site Scripting: /wp-login.php?action=login&redirect_to=[XSS] /wp-admin/templates.php?file=[XSS] /wp-admin/post.php?content=[XSS] SQL Injection: /index.php?m=bla /wp-admin/edit.php?m=bla
Hrm. I've had no luck reproducing those exploits against Wordpress 1.2.2. Anyone else want to try? Best regards, Stu
v1.5 has been released see http://wordpress.org/download/ upgrading is not as simple as writing the new files over the top so we may need to point people to the upgrade guide as well http://codex.wordpress.org/Upgrade_1.2_to_1.5
Okay, I'll add this to Thursday's todo list. Got an nxserver/freenx upgrade to do first tho. Best regards, Stu
Stuart, any updates on this ?
If the author says it's not affected and we can't reproduce, we should close this bug and unmask wordpress. Anyone else wants to try ?
We should unmask >=1.2.2 since we can't reproduce and author says it's clean.
everything <1.2.2 has been removed from the tree; removed from p.mask.
Considering this fixed as of GLSA 200410-12:02. Please reopen if you can prove it's still vulnerable