An improper input sanitization flaw was found in way Wordpress requested user SSH/FTP credentials in order to connect to the filesystem. A remote attacker, with Wordpress administrator privilege, could use this flaw to conduct cross-site scripting (XSS) attacks (execute arbitrary HTML or scripting code). References: [1] http://codex.wordpress.org/Version_3.0.2 Upstream changeset: [2] http://core.trac.wordpress.org/changeset/16367
This issue affects the versions of the wordpress package, as shipped with Fedora release of 13 and 14. Please fix. -- This issue affects the version of the wordpress package, as present within EPEL-5 repository. Please schedule and update.
CVE Request: http://www.openwall.com/lists/oss-security/2010/12/02/1
Created wordpress tracking bugs for this issue Affects: fedora-all [bug 659319]
Why does WordPress needs filesystem credentials in the first place? http://wordpress.org/support/topic/filesystem-credentials-very-bad-practice-and-totally-unnecessary http://pastebin.com/WsP7tabM In his firs reply "Otto" says "Firstly, it actually does check to see that it has access to the webroot with the proper owner and group permissions first. " This is not true. If you check the code path (wp-admin/includes/ WP_Upgrader->run(), fs_connect()) you can tell that it insists on asking for filesystem credentials (FTP or even SSH) before the actual file download (download_url() -> wp_remote_get()) is attempted. If checking those filesystem credentials fails it bombs out and never attempts to download the theme. Then in the 5th comment he says "It's a matter of it being capable of replacing the files and having the file replacements have the same user and group ownership." He seems to be argueing the use of FTP is a convenience for when file system ownership or permissions on created files is incorrect. But no attempt is made by the application to install that downloaded file using a fwrite(), it always "falls back" to FTP. This approach *forces* you to supply FTP credentials or no theme will be installed.