Bug 491318 - (CVE-2009-1030) CVE-2009-1030 wordpress-mu: XSS vulnerability in helper function for WPMU
CVE-2009-1030 wordpress-mu: XSS vulnerability in helper function for WPMU
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
  Show dependency treegraph
Reported: 2009-03-20 08:12 EDT by Jan Lieskovsky
Modified: 2016-03-04 05:40 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-03-20 08:12:57 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1030 to
the following vulnerability:

Cross-site scripting (XSS) vulnerability in the choose_primary_blog
function in wp-includes/wpmu-functions.php in WordPress MU (WPMU)
before 2.7 allows remote attackers to inject arbitrary web script or
HTML via the HTTP Host header.


Please apply the patch from wordpress-mu-2.7.
Comment 1 Jan Lieskovsky 2009-03-20 08:14:54 EDT
This issue affects the version of the wordpress-mu package, as shipped
with Fedora release of 10.

This issue does not affect the version of the wordpress-mu package,
as shipped with Fedora devel.
Comment 2 Bret McMillan 2009-04-08 12:10:58 EDT
Two things to note about this vuln:

1) I've not been able to reproduce the proof-of-concept code from milw0rm using httpd-2.2.11-2.fc10.x86_64.  That version of apache and above appears to recognize "<" and ">" as illegal characters in that header field.  I'm not sure if this is limited to HTTP 1.1 or covers both, but it limits the scope of the attacks somewhat.  PHP fronted by other webservers, however, may allow such characters to pass through to the app.

2) I've not yet been able to figure out how to create circumstances where an illicit string is passed as the host header, and yields a rendered page.  WPMU matches the Host header against entries in the wp_sites table; an illicit entry would have to yield a sufficient match there for the page not to bail with "No site defined on this host."

If folks have better reproducers, I'd be interested in seeing 'em.

Regardless, I've backported the fix from 2.7 to nerf the code a bit, and will file an update asap.
Comment 3 Fedora Update System 2009-04-08 12:12:27 EDT
wordpress-mu-2.6.5-2.fc10 has been submitted as an update for Fedora 10.
Comment 4 Fedora Update System 2009-04-09 12:14:24 EDT
wordpress-mu-2.6.5-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.