Bug 235015 (CVE-2007-1732) - CVE-2007-1732: wordpress mt import XSS
Summary: CVE-2007-1732: wordpress mt import XSS
Alias: CVE-2007-1732
Product: Fedora
Classification: Fedora
Component: wordpress
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: John Berninger
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-03 11:08 UTC by Ville Skyttä
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-08 22:22:50 UTC
Type: ---

Attachments (Terms of Use)

Description Ville Skyttä 2007-04-03 11:08:02 UTC

"** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in
wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators
to inject arbitrary web script or HTML via the demo parameter. NOTE: the
provenance of this information is unknown; the details are obtained solely from
third party information. NOTE: another researcher disputes this issue, stating
that this is legitimate functionality for administrators. However, it has been
patched by at least one vendor."

Posted for maintainer assessment whether this is a feature or a bug, and whether
it affects current FE releases.  FWIW, Gentoo has patched it.

Comment 1 John Berninger 2007-04-08 22:22:50 UTC
This looks to me like a valid feature - it requires authentication and willing
interaction on the part of the authenticated individual to exploit.  I can't
really call someone who knowingly and willingly uses such a feature a "victim".
 Although I can see where some would consider this a bug, I don't.  If someone
can point out a scheme whereby this would be a problem, I'm willing to be
convinced otherwise, but until then, CLOSED-NOTABUG

Comment 2 Ville Skyttä 2007-04-09 08:23:51 UTC
Just some general data points for consideration, I'm not necessarily disagreeing
with comment 1:

Missing/ineffective cross site request forgery preventation measures would
invalidate the "knowing/willing" assumption.  But if I understand correctly,
Wordpress's admin UI has that protection.

Requiring authentication and willing interaction doesn't IMO make this a feature
if the goal was not to provide a possibility for injection of arbitrary markup
or scripts; it just affects the attack vectors.

Note You need to log in before you can comment on or make changes to this bug.