Bug 444396 (CVE-2008-2068)

Summary: wordpress: security fixes in upstream version 2.5.1 (CVE-2008-1930, CVE-2008-2068)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adrian, john
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-25 08:59:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-04-28 06:49:39 UTC 
New upstream WordPress version 2.5.1 was released:

http://wordpress.org/development/2008/04/wordpress-251/

  "... It includes a number of bug fixes, performance enhancements, and one
   very important security fix. We recommend everyone update immediately,
   particularly if your blog has open registration. The vulnerability is not
   public but it will be shortly."

Release announcement suggests multiple security issues were fixed in this version:

  "Many thanks to Steven Murdoch for responsibly reporting the security issue
  (CVE-2008-1930) and Alex Concha for reporting an XSS issue."
Comment 1 Tomas Hoger 2008-04-28 06:57:42 UTC 
CVE-2008-1930:

 An attacker, who is able to register a specially crafted username on
 a Wordpress 2.5 installation, is able to generate authentication
 cookies for other chosen accounts.

 This vulnerability exists because it is possible to modify
 authentication cookies without invalidating the cryptographic
 integrity protection.

 If a Wordpress blog is configured to freely permit account creation,
 a remote attacker can gain Wordpress-administrator access and then
 elevate this to arbitrary code execution as the web server user.

 The vulnerability is fixed in Wordpress 2.5.1

References:
http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-integrity.txt
http://marc.info/?l=full-disclosure&m=120913941501562&w=4
http://trac.wordpress.org/changeset/7822

(This is probably the secret issue, with undisclosed details.)
Comment 2 Tomas Hoger 2008-04-28 07:03:20 UTC 
Addition to comment #1:

According to Steven Murdoch's paper, cookie protection mechanism affected by
CVE-2008-1930 was only introduced in WordPress 2.5 and therefore should not
affect versions of WordPress currently shipped in Fedora.
Comment 3 Tomas Hoger 2008-04-28 07:08:10 UTC 
This seems to be a fix for XSS mentioned in the announcement:

http://trac.wordpress.org/changeset/7826
Comment 4 Adrian Reber 2008-04-28 07:10:48 UTC 
Thanks for comment #2 about Fedora not being affected.

The problem is that the release talks about multiple security fixes and as there
will be no update for 2.3.3 and as the update from 2.3.3 to 2.5.1 seems to be
pretty easy (and for my tests without problems) I would still prefer that the
updates are pushed. Maybe as a first step only to testing if Fedora is not affected.
Comment 5 Tomas Hoger 2008-04-28 07:17:15 UTC 
Ooops, all these should be relevant for the XSS issue:

http://trac.wordpress.org/changeset/7819
http://trac.wordpress.org/changeset/7823
http://trac.wordpress.org/changeset/7826
Comment 6 Tomas Hoger 2008-04-28 07:20:51 UTC 
Other issue fixed in 2.5.1 - unauthorized attachment attributes edits:

  Any user that knows the ID of an attachment is able to edit some attributes
  of it.

http://trac.wordpress.org/ticket/6838

Changesets:
http://trac.wordpress.org/changeset/7828
http://trac.wordpress.org/changeset/7830
Comment 7 Tomas Hoger 2008-04-28 07:25:37 UTC 
(In reply to comment #4)
> The problem is that the release talks about multiple security fixes

Yes.  Hopefully, those should be all listed here now.

> will be no update for 2.3.3 and as the update from 2.3.3 to 2.5.1 seems to be
> pretty easy (and for my tests without problems) I would still prefer that the
> updates are pushed.

Sounds ok to me.  Updates are now waiting for RelEng to sing and push.

> Maybe as a first step only to testing if Fedora is not affected.

Feel free to change request from stable to testing if you prefer.

Thanks for quick update!
Comment 8 Fedora Update System 2008-04-29 20:51:03 UTC 
wordpress-2.5.1-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-04-29 20:59:16 UTC 
wordpress-2.5.1-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2008-05-05 06:42:00 UTC 
CVE id for the XSS issue:

CVE-2008-2068:

Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows
remote attackers to inject arbitrary web script or HTML via
unspecified vectors.

References:
http://wordpress.org/development/2008/04/wordpress-251/
http://secunia.com/advisories/29965
http://xforce.iss.net/xforce/xfdb/42029
Comment 11 Red Hat Product Security 2008-07-25 08:59:37 UTC 
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3397