Bug 491318 (CVE-2009-1030) - CVE-2009-1030 wordpress-mu: XSS vulnerability in helper function for WPMU
Summary: CVE-2009-1030 wordpress-mu: XSS vulnerability in helper function for WPMU
Alias: CVE-2009-1030
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.securityfocus.com/archive/...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-03-20 12:12 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:29 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2009-03-20 12:12:57 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1030 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in the choose_primary_blog
function in wp-includes/wpmu-functions.php in WordPress MU (WPMU)
before 2.7 allows remote attackers to inject arbitrary web script or
HTML via the HTTP Host header.


Please apply the patch from wordpress-mu-2.7.

Comment 1 Jan Lieskovsky 2009-03-20 12:14:54 UTC
This issue affects the version of the wordpress-mu package, as shipped
with Fedora release of 10.

This issue does not affect the version of the wordpress-mu package,
as shipped with Fedora devel.

Comment 2 Bret McMillan 2009-04-08 16:10:58 UTC
Two things to note about this vuln:

1) I've not been able to reproduce the proof-of-concept code from milw0rm using httpd-2.2.11-2.fc10.x86_64.  That version of apache and above appears to recognize "<" and ">" as illegal characters in that header field.  I'm not sure if this is limited to HTTP 1.1 or covers both, but it limits the scope of the attacks somewhat.  PHP fronted by other webservers, however, may allow such characters to pass through to the app.

2) I've not yet been able to figure out how to create circumstances where an illicit string is passed as the host header, and yields a rendered page.  WPMU matches the Host header against entries in the wp_sites table; an illicit entry would have to yield a sufficient match there for the page not to bail with "No site defined on this host."

If folks have better reproducers, I'd be interested in seeing 'em.

Regardless, I've backported the fix from 2.7 to nerf the code a bit, and will file an update asap.

Comment 3 Fedora Update System 2009-04-08 16:12:27 UTC
wordpress-mu-2.6.5-2.fc10 has been submitted as an update for Fedora 10.

Comment 4 Fedora Update System 2009-04-09 16:14:24 UTC
wordpress-mu-2.6.5-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.