Bug 659294

Summary: Wordpress: XSS in requesting user credentials in order to connect to the filesystem
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gwync, herrold, leonard-rh-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-14 22:42:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 659319, 668192    
Bug Blocks:    

Description Jan Lieskovsky 2010-12-02 12:55:50 UTC 
An improper input sanitization flaw was found in way Wordpress
requested user SSH/FTP credentials in order to connect to the
filesystem. A remote attacker, with Wordpress administrator privilege,
could use this flaw to conduct cross-site scripting (XSS) attacks
(execute arbitrary HTML or scripting code).

References:
[1] http://codex.wordpress.org/Version_3.0.2

Upstream changeset:
[2] http://core.trac.wordpress.org/changeset/16367
Comment 1 Jan Lieskovsky 2010-12-02 12:59:59 UTC 
This issue affects the versions of the wordpress package, as shipped
with Fedora release of 13 and 14.

Please fix.

--

This issue affects the version of the wordpress package, as present
within EPEL-5 repository.

Please schedule and update.
Comment 2 Jan Lieskovsky 2010-12-02 14:42:22 UTC 
CVE Request:
http://www.openwall.com/lists/oss-security/2010/12/02/1
Comment 3 Jan Lieskovsky 2010-12-02 14:44:53 UTC 
Created wordpress tracking bugs for this issue

Affects: fedora-all [bug 659319]
Comment 4 Leonard den Ottolander 2010-12-21 12:04:51 UTC 
Why does WordPress needs filesystem credentials in the first place?

http://wordpress.org/support/topic/filesystem-credentials-very-bad-practice-and-totally-unnecessary

http://pastebin.com/WsP7tabM

In his firs reply "Otto" says "Firstly, it actually does check to see that it has access to the webroot with the proper owner and group permissions first. "

This is not true. If you check the code path (wp-admin/includes/ WP_Upgrader->run(), fs_connect()) you can tell that it insists on asking for filesystem credentials (FTP or even SSH) before the actual file download (download_url() -> wp_remote_get()) is attempted. If checking those filesystem credentials fails it bombs out and never attempts to download the theme.

Then in the 5th comment he says "It's a matter of it being capable of replacing the files and having the file replacements have the same user and group ownership." He seems to be argueing the use of FTP is a convenience for when file system ownership or permissions on created files is incorrect. But no attempt is made by the application to install that downloaded file using a fwrite(), it always "falls back" to FTP.

This approach *forces* you to supply FTP credentials or no theme will be installed.