Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 74649 - www-apps/wordpress: Multiple XSS issues
Summary: www-apps/wordpress: Multiple XSS issues
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [unmask] lewk
Depends on:
Reported: 2004-12-16 10:33 UTC by Luke Macken (RETIRED)
Modified: 2005-03-02 05:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Ebuild for v1.2.2 (wordpress-1.2.2.ebuild,2.05 KB, text/plain)
2004-12-17 00:59 UTC, Peter Westwood
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-12-16 10:33:41 UTC
Vendor : Wordpress
URL    :
Version: Wordpress 1.2.1
Risk:  : XSS

* Description
WordPress is a state-of-the-art semantic personal
publishing platform with a focus on aesthetics, web
standards, and usability. [...]

Visit for detailed informations.

* Summary
After a quick reread of the wordpress source code I
was very disappointed about the improvements in the
new version 1.2.1 of wordpress. The developers did
not fix all flaws I mentioned in my last advisory
[1] and they did not improve the code of the files
in the administration panel. There were still a lot
of XSS vulnerabilities.

So I contaced the main developer again on October
28th and posted the notice about several security
flaws in their support forum to be sure the message
reaches the developers. On December 15th - yesterday
- they released a fixed version.

* Cross Site Scripting and similar flaws
The version 1.2.1 of wordpress was *more* vulnerable
than the 1.2 release cause of this new "feature"
in wp-login.php.

> // If someone has moved WordPress let's try to detect it
> if ( dirname('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'])
!= get_settings('siteurl') )
>    update_option('siteurl', dirname('http://' . $_SERVER['HTTP_HOST'] .

With an URI like


an attacker was able to store arbitrary values in 
the global siteurl setting. 

Another issue was that an administrator or privileged
user was able to post messages, add new categories,
change profile values etc. with HTML code in it.

Still vulnerable in WP-1.2.1:

XSS vulns they did not fix:

SQL errors:

* Solution
Upgrade to Worpress 1.2.2 [2]

* Credits
Thomas Waldegger

Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-12-16 10:34:48 UTC
web-apps, please bump to 1.2.2
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-16 14:11:09 UTC
This should probably be handled as an update for GLSA 200410-12 (same vulnerability which was not patched enough)
Comment 3 Peter Westwood 2004-12-17 00:59:51 UTC
Created attachment 46195 [details]
Ebuild for v1.2.2

This is an ebuild for v1.2.2 - a straight copy of v1.2.1 expect for the

Change in SRC_URI - v1.2.2 is not available from at the momement and
default link on from page is to latest.tar.gz - Talked to photomatt (the main
wordpress author on irc and he has made it so that latest-1.2.2.tar.gz will get
the right file)

Remove the patching of the login code which should be fixed in this version.

If anyone still has login problems they probably aught to check that they have
run the upgrade.php file as described here:
Comment 4 Stuart Herbert (RETIRED) gentoo-dev 2004-12-17 01:02:19 UTC
I'll bump this package as soon as I get home from work this evening.

Best regards,
Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2004-12-18 13:38:07 UTC
Hi, is unreachable atm, and the new release still hasn't turned up on SourceForge.  I'll keep an eye on, and bump this package once the server's back.

Best regards,
Comment 6 Stuart Herbert (RETIRED) gentoo-dev 2004-12-18 15:39:32 UTC
Okay, wordpress 1.2.2 is in the tree, and marked stable on x86 and ppc.  

Needs marking stable on sparc, as sparc has just marked the (much older) 1.2-r1 ebuild as stable.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2004-12-18 16:30:38 UTC
Stable on sparc.
Comment 8 Luke Macken (RETIRED) gentoo-dev 2004-12-18 16:45:51 UTC
Ready for GLSA.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-12-19 05:47:37 UTC
Please release this as an update to GLSA 200410-12, not a new GLSA.
Comment 10 Luke Macken (RETIRED) gentoo-dev 2004-12-19 14:02:59 UTC
Released update to GLSA 200410-12.
Comment 11 Luke Macken (RETIRED) gentoo-dev 2004-12-21 18:09:36 UTC
It looks like these vulnerabilities haven't been fixed yet:

Screw email, I'll bother the upstream on IRC ;)
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-01-10 01:40:32 UTC
lewk: what's the status on this ?
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-01-10 05:41:56 UTC
A couple of the devs confirmed this issue on IRC a few weeks ago, but I haven't heard anything recently.  I just sent an email upstream asking for more info.
Comment 14 Stuart Herbert (RETIRED) gentoo-dev 2005-01-10 10:52:15 UTC
If UPSTREAM don't get their act together, I'm happy to drop support for wordpress on the grounds that they're just an ongoing security problem.

Best regards,
Comment 15 Luke Macken (RETIRED) gentoo-dev 2005-01-24 17:31:07 UTC
I still haven't heard anything back from upstream.  Stuart, feel free to try and get ahold of them yourself, or you can do as you wish with this package.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 06:27:37 UTC
Just paid a visit to #wordpress and found infowolfe there. Apparently this is all fixed in 1.5 nightlies, but no dev was around to tell us when it's due. infowolfe will try to make up a patch, with or without upstream dev help.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 07:04:27 UTC
We should mask it until they get a 1.5 version.
Comment 18 Aaron Walker (RETIRED) gentoo-dev 2005-02-11 07:10:09 UTC
In package.mask.
Comment 19 Stuart Herbert (RETIRED) gentoo-dev 2005-02-11 10:46:45 UTC

Anyone got a link that works for the current vulnerabilities?  The one posted doesn't work.

Comment 20 Stuart Herbert (RETIRED) gentoo-dev 2005-02-11 10:57:32 UTC looks like the correct link.

I've emailed the author.  Let's see what we hear back.

Best regards,
Comment 21 Stuart Herbert (RETIRED) gentoo-dev 2005-02-11 13:25:21 UTC
I've spoken with the upstream author.  He asserts that Wordpress 1.2.2 is not vulnerable.

Anyone got an exploit that we can use to test this?

Best regards,
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 14:05:51 UTC
From :

Cross-site Scripting:

SQL Injection:
Comment 23 Stuart Herbert (RETIRED) gentoo-dev 2005-02-12 13:39:51 UTC
Hrm.  I've had no luck reproducing those exploits against Wordpress 1.2.2.  Anyone else want to try?

Best regards,
Comment 24 Peter Westwood 2005-02-15 00:16:37 UTC
v1.5 has been released see

upgrading is not as simple as writing the new files over the top so we may need to point people to the upgrade guide as well
Comment 25 Stuart Herbert (RETIRED) gentoo-dev 2005-02-15 14:07:21 UTC
Okay, I'll add this to Thursday's todo list.  Got an nxserver/freenx upgrade to do first tho.

Best regards,
Comment 26 Luke Macken (RETIRED) gentoo-dev 2005-02-23 19:07:12 UTC
Stuart, any updates on this ?
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 03:13:27 UTC
If the author says it's not affected and we can't reproduce, we should close this bug and unmask wordpress. Anyone else wants to try ?
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 01:40:03 UTC
We should unmask >=1.2.2 since we can't reproduce and author says it's clean.
Comment 29 Aaron Walker (RETIRED) gentoo-dev 2005-03-02 03:39:58 UTC
everything <1.2.2 has been removed from the tree; removed from p.mask.
Comment 30 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 05:17:41 UTC
Considering this fixed as of GLSA 200410-12:02.
Please reopen if you can prove it's still vulnerable