Bug 659265 - (CVE-2010-4257) CVE-2010-4257 Wordpress: SQL injection flaw by processing trackbacks
CVE-2010-4257 Wordpress: SQL injection flaw by processing trackbacks
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 659319 668192
  Show dependency treegraph
Reported: 2010-12-02 05:52 EST by Jan Lieskovsky
Modified: 2013-04-04 20:35 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-04 20:35:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Promised local copy of upstream changeset (591 bytes, patch)
2010-12-02 06:02 EST, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2010-12-02 05:52:59 EST
An improper input sanitization flaw was found in the way Wordpress
performed trackbacks (a way to notify a website when an entry that
references it is published) maintainance. A remote attacker,
with Author-level privilege could use this flaw to conduct
SQL injection attacks (gain further access to the site, which
should be otherwise prohibited).

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605603
[2] http://codex.wordpress.org/Version_3.0.2

Upstream changeset:
[3] http://core.trac.wordpress.org/changeset/16625

Note: You may want to use w3m browser, when trying to access [2],
      and [3], as we are having troubles / timeouts, when accessing
      it via firefox / konqueror. Will post a copy of upstream patch
Comment 1 Jan Lieskovsky 2010-12-02 05:56:38 EST
This issue affects the version of the wordpress package, as shipped
with Fedora release of 13 and 14.

Please fix.


This issue affects the version of the wordpress package, as present
within EPEL-5 repository.

Please schedule an update.
Comment 2 Jan Lieskovsky 2010-12-02 06:02:51 EST
Created attachment 464225 [details]
Promised local copy of upstream changeset
Comment 3 Jan Lieskovsky 2010-12-02 09:42:04 EST
CVE Request:
Comment 4 Jan Lieskovsky 2010-12-02 09:44:36 EST
Created wordpress tracking bugs for this issue

Affects: fedora-all [bug 659319]
Comment 5 Jan Lieskovsky 2010-12-03 06:00:41 EST
The CVE identifier of CVE-2010-4257 has been assigned to this issue.

Note You need to log in before you can comment on or make changes to this bug.