Bug 512900 (CVE-2009-2851) - CVE-2009-2851 WordPress: XSS via unescaped HTML URLs as author comments in the admin page
Summary: CVE-2009-2851 WordPress: XSS via unescaped HTML URLs as author comments in t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2851
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://wordpress.org/development/2009...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-21 09:07 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:30 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 16:13:31 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-07-21 09:07:58 UTC
From WordPress blog:

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs
were not fully sanitized when displayed in the admin. This could
be exploited to redirect you away from the admin to another site. 

References:
-----------
http://wordpress.org/development/2009/07/wordpress-2-8-2/
http://bugs.gentoo.org/show_bug.cgi?id=278492

Note: Please be sure to mention CVE identifier in the WordPress's 
      rpm Changelog when scheduling Fedora updates / addressing this
      flaw.

Comment 1 Adrian Reber 2009-07-21 09:31:59 UTC
Is there already a CVE identifier assigned? Should I wait with the update until there is a CVE identifier available?

Comment 2 Jan Lieskovsky 2009-07-21 10:05:23 UTC
CVE for this issue was requested here:

http://www.openwall.com/lists/oss-security/2009/07/21/1

Would be better to have CVE identifier associated with the fix, 
but if it isn't assigned in two days (you will notice, as this 
bug will be updated with it), go ahead and schedule the Fedora
WordPress updates.

But for now please wait a little bit (for it).

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 3 Adrian Reber 2009-07-24 07:11:04 UTC
It has been a few days without any news. I would really like to push the updates. It is somehow silly to wait if the update is already available.

Comment 4 Fedora Update System 2009-07-28 11:33:56 UTC
wordpress-2.8.2-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.fc11

Comment 5 Fedora Update System 2009-07-28 11:34:35 UTC
wordpress-2.8.2-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.fc10

Comment 6 Fedora Update System 2009-07-28 11:35:17 UTC
wordpress-2.8.2-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/wordpress-2.8.2-1.el5

Comment 7 Fedora Update System 2009-07-28 17:23:51 UTC
wordpress-2.8.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2009-07-29 21:33:34 UTC
wordpress-2.8.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2009-07-29 21:35:41 UTC
wordpress-2.8.2-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Jan Lieskovsky 2009-08-19 10:16:50 UTC
MITRE's CVE-2009-2851 record:
-----------------------------

Cross-site scripting (XSS) vulnerability in the administrator
interface in WordPress before 2.8.2 allows remote attackers to inject
arbitrary web script or HTML via a comment author URL.

References:
-----------
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2851
http://www.openwall.com/lists/oss-security/2009/07/21/1
http://bugs.gentoo.org/show_bug.cgi?id=278492
http://wordpress.org/development/2009/07/wordpress-2-8-2/
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01241.html
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg01253.html
http://securitytracker.com/id?1022589


Note You need to log in before you can comment on or make changes to this bug.