Bug 447888 - (CVE-2008-2392) CVE-2008-2392 wordpress: Malicious File Execution Vulnerability
CVE-2008-2392 wordpress: Malicious File Execution Vulnerability
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20080521,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-22 06:40 EDT by Tomas Hoger
Modified: 2010-12-23 14:05 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 14:05:32 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-05-22 06:40:19 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2392 to the following vulnerability:

Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.

Refences:
http://www.securityfocus.com/archive/1/archive/1/492230/100/0/threaded
http://www.securityfocus.com/bid/29276
Comment 1 Tomas Hoger 2008-05-22 07:17:19 EDT
This can only be and issue in deployments, where blog administrator does not
have a local access to web server or the access is restricted in a way that he
can not create php script in e.g. public_html directory to run arbitrary code as
web server user.

I'm tempted to call this notabug for Fedora.  WordPress RPM installs wordpress
files to /usr/share/wordpress, owned by user root and not writable to web server
user.

For uploads to work, system administrator would have to change permissions on
wp-content/uploads directory to make uploads possible.  Blog admin can possibly
change upload directory, but, by default, there is no directory writable to web
server user that is also configured to be served via web server.

Second vector described in the announcement can not be exploited by default as
well, as plugin files are not writable to to web server user and can not be
modified to contain malicious php code.

I failed to find any related ticket in the upstream trac.  Adrian, John, do you
know whether upstream has any statement regarding this or are planning to
implement any fixes for this issue?  Do you agree with notabug assessment of
this problem or have I missed anything in my analysis?  Thanks!
Comment 2 Adrian Reber 2008-05-24 18:37:58 EDT
I do not know if upstream is planning anything. But I am not following
development close enough to really make a valid statement.

Like you described it, it does not sound like it seems to be problem for the
default Fedora installation and therefore I agree with you to close it.

If upstream would release a new version I would update to the newest version
because this seems always the best with wordpress.
Comment 3 Vincent Danen 2010-12-23 14:05:32 EST
This behaviour is intentional, as per http://codex.wordpress.org/CVEs#2008 :

""Admin" user has ability to edit plugins and upload files if file permissions allow- this is intentional."

Note You need to log in before you can comment on or make changes to this bug.