Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1030 to
the following vulnerability:
Cross-site scripting (XSS) vulnerability in the choose_primary_blog
function in wp-includes/wpmu-functions.php in WordPress MU (WPMU)
before 2.7 allows remote attackers to inject arbitrary web script or
HTML via the HTTP Host header.
Please apply the patch from wordpress-mu-2.7.
This issue affects the version of the wordpress-mu package, as shipped
with Fedora release of 10.
This issue does not affect the version of the wordpress-mu package,
as shipped with Fedora devel.
Two things to note about this vuln:
1) I've not been able to reproduce the proof-of-concept code from milw0rm using httpd-2.2.11-2.fc10.x86_64. That version of apache and above appears to recognize "<" and ">" as illegal characters in that header field. I'm not sure if this is limited to HTTP 1.1 or covers both, but it limits the scope of the attacks somewhat. PHP fronted by other webservers, however, may allow such characters to pass through to the app.
2) I've not yet been able to figure out how to create circumstances where an illicit string is passed as the host header, and yields a rendered page. WPMU matches the Host header against entries in the wp_sites table; an illicit entry would have to yield a sufficient match there for the page not to bail with "No site defined on this host."
If folks have better reproducers, I'd be interested in seeing 'em.
Regardless, I've backported the fix from 2.7 to nerf the code a bit, and will file an update asap.
wordpress-mu-2.6.5-2.fc10 has been submitted as an update for Fedora 10.
wordpress-mu-2.6.5-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.