Vendor : Wordpress
URL : http://wordpress.org/
Version: Wordpress 1.2.1
Risk: : XSS
WordPress is a state-of-the-art semantic personal
publishing platform with a focus on aesthetics, web
standards, and usability. [...]
Visit http://wordpress.org/ for detailed informations.
After a quick reread of the wordpress source code I
was very disappointed about the improvements in the
new version 1.2.1 of wordpress. The developers did
not fix all flaws I mentioned in my last advisory
 and they did not improve the code of the files
in the administration panel. There were still a lot
of XSS vulnerabilities.
So I contaced the main developer again on October
28th and posted the notice about several security
flaws in their support forum to be sure the message
reaches the developers. On December 15th - yesterday
- they released a fixed version.
* Cross Site Scripting and similar flaws
The version 1.2.1 of wordpress was *more* vulnerable
than the 1.2 release cause of this new "feature"
> // If someone has moved WordPress let's try to detect it
> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
!= get_settings('siteurl') )
> update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .
With an URI like
an attacker was able to store arbitrary values in
the global siteurl setting.
Another issue was that an administrator or privileged
user was able to post messages, add new categories,
change profile values etc. with HTML code in it.
Still vulnerable in WP-1.2.1:
XSS vulns they did not fix:
Upgrade to Worpress 1.2.2 
web-apps, please bump to 1.2.2
This should probably be handled as an update for GLSA 200410-12 (same vulnerability which was not patched enough)
Created attachment 46195 [details]
Ebuild for v1.2.2
This is an ebuild for v1.2.2 - a straight copy of v1.2.1 expect for the
Change in SRC_URI - v1.2.2 is not available from sf.net at the momement and
default link on from page is to latest.tar.gz - Talked to photomatt (the main
wordpress author on irc and he has made it so that latest-1.2.2.tar.gz will get
the right file)
Remove the patching of the login code which should be fixed in this version.
If anyone still has login problems they probably aught to check that they have
run the upgrade.php file as described here:
I'll bump this package as soon as I get home from work this evening.
Wordpress.org is unreachable atm, and the new release still hasn't turned up on SourceForge. I'll keep an eye on wordpress.org, and bump this package once the server's back.
Okay, wordpress 1.2.2 is in the tree, and marked stable on x86 and ppc.
Needs marking stable on sparc, as sparc has just marked the (much older) 1.2-r1 ebuild as stable.
Stable on sparc.
Ready for GLSA.
Please release this as an update to GLSA 200410-12, not a new GLSA.
Released update to GLSA 200410-12.
It looks like these vulnerabilities haven't been fixed yet:
Screw email, I'll bother the upstream on IRC ;)
lewk: what's the status on this ?
A couple of the devs confirmed this issue on IRC a few weeks ago, but I haven't heard anything recently. I just sent an email upstream asking for more info.
If UPSTREAM don't get their act together, I'm happy to drop support for wordpress on the grounds that they're just an ongoing security problem.
I still haven't heard anything back from upstream. Stuart, feel free to try and get ahold of them yourself, or you can do as you wish with this package.
Just paid a visit to #wordpress and found infowolfe there. Apparently this is all fixed in 1.5 nightlies, but no dev was around to tell us when it's due. infowolfe will try to make up a patch, with or without upstream dev help.
We should mask it until they get a 1.5 version.
Anyone got a link that works for the current vulnerabilities? The one posted doesn't work.
http://www.securityfocus.com/bid/11984 looks like the correct link.
I've emailed the author. Let's see what we hear back.
I've spoken with the upstream author. He asserts that Wordpress 1.2.2 is not vulnerable.
Anyone got an exploit that we can use to test this?
From http://www.securityfocus.com/bid/12066/exploit/ :
Hrm. I've had no luck reproducing those exploits against Wordpress 1.2.2. Anyone else want to try?
v1.5 has been released see http://wordpress.org/download/
upgrading is not as simple as writing the new files over the top so we may need to point people to the upgrade guide as well
Okay, I'll add this to Thursday's todo list. Got an nxserver/freenx upgrade to do first tho.
Stuart, any updates on this ?
If the author says it's not affected and we can't reproduce, we should close this bug and unmask wordpress. Anyone else wants to try ?
We should unmask >=1.2.2 since we can't reproduce and author says it's clean.
everything <1.2.2 has been removed from the tree; removed from p.mask.
Considering this fixed as of GLSA 200410-12:02.
Please reopen if you can prove it's still vulnerable