Bug 431547 (CVE-2008-0664) - CVE-2008-0664 wordpress: XML-RPC interface vulnerability
Summary: CVE-2008-0664 wordpress: XML-RPC interface vulnerability
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2008-0664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: source=gentoo,reported=20080205,publi...
Depends On: 431549 431550 431551
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-05 13:14 UTC by Tomas Hoger
Modified: 2019-06-08 12:27 UTC (History)
3 users (show)

Fixed In Version: 2.3.3-0.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-13 05:08:53 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-02-05 13:14:48 UTC
WordPress 2.3.3 was released with following announcement:

  WordPress 2.3.3 is an urgent security release. A flaw was found in our
  XML-RPC implementation such that a specially crafted request would allow
  any valid user to edit posts of any other user on that blog.

  http://wordpress.org/development/2008/02/wordpress-233/

Upstream bug report:
http://trac.wordpress.org/ticket/5313

Some PoCs are already available publicly:
http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-confirmed/

Comment 2 Bryan O'Sullivan 2008-02-09 04:56:34 UTC
This is being actively exploited.  My F8 server running 2.3.2 was hit by a
spammer using this hole today.

Comment 3 John Berninger 2008-02-09 05:14:40 UTC
Building new packages for F-7, F-8, -devel.  Will push as security updates as
soon as they complete.

Comment 4 Bryan O'Sullivan 2008-02-09 05:20:59 UTC
Thanks. I was about to do that myself when I found you'd already started.

Comment 5 John Berninger 2008-02-09 05:37:39 UTC
Packages rebuilt, awaiting security team approval for final push to stable repos

Comment 6 Lubomir Kundrak 2008-02-09 11:47:03 UTC
John: You submitted the update for testing. I will assume that you meant it for
stable and push it there.

Comment 7 Lubomir Kundrak 2008-02-09 11:47:35 UTC
Oh, pardon me, I lied above :} Approved though.

Comment 8 Fedora Update System 2008-02-13 04:59:05 UTC
wordpress-2.3.3-0.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-02-13 05:08:45 UTC
wordpress-2.3.3-0.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.