Bug 447888 (CVE-2008-2392)

Summary: CVE-2008-2392 wordpress: Malicious File Execution Vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adrian, john
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2392
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 19:05:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-05-22 10:40:19 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2392 to the following vulnerability:

Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.

Refences:
http://www.securityfocus.com/archive/1/archive/1/492230/100/0/threaded
http://www.securityfocus.com/bid/29276
Comment 1 Tomas Hoger 2008-05-22 11:17:19 UTC 
This can only be and issue in deployments, where blog administrator does not
have a local access to web server or the access is restricted in a way that he
can not create php script in e.g. public_html directory to run arbitrary code as
web server user.

I'm tempted to call this notabug for Fedora.  WordPress RPM installs wordpress
files to /usr/share/wordpress, owned by user root and not writable to web server
user.

For uploads to work, system administrator would have to change permissions on
wp-content/uploads directory to make uploads possible.  Blog admin can possibly
change upload directory, but, by default, there is no directory writable to web
server user that is also configured to be served via web server.

Second vector described in the announcement can not be exploited by default as
well, as plugin files are not writable to to web server user and can not be
modified to contain malicious php code.

I failed to find any related ticket in the upstream trac.  Adrian, John, do you
know whether upstream has any statement regarding this or are planning to
implement any fixes for this issue?  Do you agree with notabug assessment of
this problem or have I missed anything in my analysis?  Thanks!
Comment 2 Adrian Reber 2008-05-24 22:37:58 UTC 
I do not know if upstream is planning anything. But I am not following
development close enough to really make a valid statement.

Like you described it, it does not sound like it seems to be problem for the
default Fedora installation and therefore I agree with you to close it.

If upstream would release a new version I would update to the newest version
because this seems always the best with wordpress.
Comment 3 Vincent Danen 2010-12-23 19:05:32 UTC 
This behaviour is intentional, as per http://codex.wordpress.org/CVEs#2008 :

""Admin" user has ability to edit plugins and upload files if file permissions allow- this is intentional."