Bug 491318 (CVE-2009-1030)
Summary: | CVE-2009-1030 wordpress-mu: XSS vulnerability in helper function for WPMU | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | MODIFIED --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | john |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.securityfocus.com/archive/1/archive/1/501667/100/0/threaded | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2009-03-20 12:12:57 UTC
This issue affects the version of the wordpress-mu package, as shipped with Fedora release of 10. This issue does not affect the version of the wordpress-mu package, as shipped with Fedora devel. Two things to note about this vuln: 1) I've not been able to reproduce the proof-of-concept code from milw0rm using httpd-2.2.11-2.fc10.x86_64. That version of apache and above appears to recognize "<" and ">" as illegal characters in that header field. I'm not sure if this is limited to HTTP 1.1 or covers both, but it limits the scope of the attacks somewhat. PHP fronted by other webservers, however, may allow such characters to pass through to the app. 2) I've not yet been able to figure out how to create circumstances where an illicit string is passed as the host header, and yields a rendered page. WPMU matches the Host header against entries in the wp_sites table; an illicit entry would have to yield a sufficient match there for the page not to bail with "No site defined on this host." If folks have better reproducers, I'd be interested in seeing 'em. Regardless, I've backported the fix from 2.7 to nerf the code a bit, and will file an update asap. wordpress-mu-2.6.5-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/wordpress-mu-2.6.5-2.fc10 wordpress-mu-2.6.5-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |