An improper input sanitization flaw was found in the way Wordpress performed trackbacks (a way to notify a website when an entry that references it is published) maintainance. A remote attacker, with Author-level privilege could use this flaw to conduct SQL injection attacks (gain further access to the site, which should be otherwise prohibited). References: [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605603 [2] http://codex.wordpress.org/Version_3.0.2 Upstream changeset: [3] http://core.trac.wordpress.org/changeset/16625 Note: You may want to use w3m browser, when trying to access [2], and [3], as we are having troubles / timeouts, when accessing it via firefox / konqueror. Will post a copy of upstream patch here.
This issue affects the version of the wordpress package, as shipped with Fedora release of 13 and 14. Please fix. -- This issue affects the version of the wordpress package, as present within EPEL-5 repository. Please schedule an update.
Created attachment 464225 [details] Promised local copy of upstream changeset
CVE Request: http://www.openwall.com/lists/oss-security/2010/12/02/1
Created wordpress tracking bugs for this issue Affects: fedora-all [bug 659319]
The CVE identifier of CVE-2010-4257 has been assigned to this issue.