Bug 491318 (CVE-2009-1030)

Summary: CVE-2009-1030 wordpress-mu: XSS vulnerability in helper function for WPMU
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: MODIFIED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: john
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/archive/1/archive/1/501667/100/0/threaded
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-03-20 12:12:57 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1030 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in the choose_primary_blog
function in wp-includes/wpmu-functions.php in WordPress MU (WPMU)
before 2.7 allows remote attackers to inject arbitrary web script or
HTML via the HTTP Host header.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1030
http://www.securityfocus.com/archive/1/archive/1/501667/100/0/threaded
http://www.milw0rm.com/exploits/8196
http://www.securitytracker.com/id?1021838
http://xforce.iss.net/xforce/xfdb/49184

Solution:
Please apply the patch from wordpress-mu-2.7.

Comment 1 Jan Lieskovsky 2009-03-20 12:14:54 UTC
This issue affects the version of the wordpress-mu package, as shipped
with Fedora release of 10.

This issue does not affect the version of the wordpress-mu package,
as shipped with Fedora devel.

Comment 2 Bret McMillan 2009-04-08 16:10:58 UTC
Two things to note about this vuln:

1) I've not been able to reproduce the proof-of-concept code from milw0rm using httpd-2.2.11-2.fc10.x86_64.  That version of apache and above appears to recognize "<" and ">" as illegal characters in that header field.  I'm not sure if this is limited to HTTP 1.1 or covers both, but it limits the scope of the attacks somewhat.  PHP fronted by other webservers, however, may allow such characters to pass through to the app.

2) I've not yet been able to figure out how to create circumstances where an illicit string is passed as the host header, and yields a rendered page.  WPMU matches the Host header against entries in the wp_sites table; an illicit entry would have to yield a sufficient match there for the page not to bail with "No site defined on this host."

If folks have better reproducers, I'd be interested in seeing 'em.

Regardless, I've backported the fix from 2.7 to nerf the code a bit, and will file an update asap.

Comment 3 Fedora Update System 2009-04-08 16:12:27 UTC
wordpress-mu-2.6.5-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/wordpress-mu-2.6.5-2.fc10

Comment 4 Fedora Update System 2009-04-09 16:14:24 UTC
wordpress-mu-2.6.5-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.