Bug 235015 - (CVE-2007-1732) CVE-2007-1732: wordpress mt import XSS
CVE-2007-1732: wordpress mt import XSS
Product: Fedora
Classification: Fedora
Component: wordpress (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Berninger
Fedora Extras Quality Assurance
: Security
Depends On:
  Show dependency treegraph
Reported: 2007-04-03 07:08 EDT by Ville Skyttä
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-04-08 18:22:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2007-04-03 07:08:02 EDT

"** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in
wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators
to inject arbitrary web script or HTML via the demo parameter. NOTE: the
provenance of this information is unknown; the details are obtained solely from
third party information. NOTE: another researcher disputes this issue, stating
that this is legitimate functionality for administrators. However, it has been
patched by at least one vendor."

Posted for maintainer assessment whether this is a feature or a bug, and whether
it affects current FE releases.  FWIW, Gentoo has patched it.
Comment 1 John Berninger 2007-04-08 18:22:50 EDT
This looks to me like a valid feature - it requires authentication and willing
interaction on the part of the authenticated individual to exploit.  I can't
really call someone who knowingly and willingly uses such a feature a "victim".
 Although I can see where some would consider this a bug, I don't.  If someone
can point out a scheme whereby this would be a problem, I'm willing to be
convinced otherwise, but until then, CLOSED-NOTABUG
Comment 2 Ville Skyttä 2007-04-09 04:23:51 EDT
Just some general data points for consideration, I'm not necessarily disagreeing
with comment 1:

Missing/ineffective cross site request forgery preventation measures would
invalidate the "knowing/willing" assumption.  But if I understand correctly,
Wordpress's admin UI has that protection.

Requiring authentication and willing interaction doesn't IMO make this a feature
if the goal was not to provide a possibility for injection of arbitrary markup
or scripts; it just affects the attack vectors.

Note You need to log in before you can comment on or make changes to this bug.