Your message dated Sun, 23 Aug 2009 14:03:09 +0000
with message-id <[email protected]>
and subject line Bug#504771: fixed in wordpress 2.0.10-1etch4
has caused the Debian Bug report #504771,
regarding wordpress can be subject of delayed attacks via cookies
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
504771: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: wordpress
Version: 2.0.7-1
Severity: grave
Tags: security
Hi,
Due to the completely incorrect usage of $_REQUEST almost all over the place
wordpress is subject to delayed attacks via cookies.
The attack can be performed as long as there is some way to inject a cookie
which is sent by the browser to the server. Note that this means that some
XSS vulnerability in wordpress or in any other service, or even by visiting a
malicious site under the same domain could lead to any of the following (and
even lots more) attacks.
Attack: Denial Of Service
Required cookies: GLOBALS=<anything>
Triggering file: index.php (just an example, basically any file including the
affected file)
Affected file: wp-settings.php
Effect: no request is processed as it aborts because of the presence of
GLOBALS in $_REQUEST
Attack: Deletion of users
Required cookies: action=dodelete, delete_option=delete, users[]=n (where n is
an integer)
Triggering file: wp-admin/users.php
Affected file: wp-admin/users.php
Note: this doesn't affect etch's version as it correctly uses $_POST
Attack: Denial Of Service
Required cookies: action=logout
Triggering file: wp-login.php
Affected file: wp-login.php
Effect: redirection loop, preventing the user from logging in
etc
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Source: wordpress
Source-Version: 2.0.10-1etch4
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.0.10-1etch4.diff.gz
to pool/main/w/wordpress/wordpress_2.0.10-1etch4.diff.gz
wordpress_2.0.10-1etch4.dsc
to pool/main/w/wordpress/wordpress_2.0.10-1etch4.dsc
wordpress_2.0.10-1etch4_all.deb
to pool/main/w/wordpress/wordpress_2.0.10-1etch4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <[email protected]> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Aug 2009 11:58:32 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.0.10-1etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Andrea De Iacovo <[email protected]>
Changed-By: Giuseppe Iuculano <[email protected]>
Description:
wordpress - an award winning weblog manager
Closes: 491846 500115 504234 504243 504771 531736 531736 536724
Changes:
wordpress (2.0.10-1etch4) oldstable-security; urgency=high
.
* [2ef79dd] Removed 010CVE2008-0664.patch, it caused a regression and
wordpress 2.0.10 isn't affected by CVE-2008-0664. (Closes: #491846)
* [abbabe9] Fixed CVE-2008-1502 _bad_protocol_once function in KSES
allows remote attackers to conduct XSS attacks (Closes: #504243)
* [e8a73eb] Fixed CVE-2008-4106: Whitespaces in user name are now
checked during login. (Closes: #500115)
* [8a2e4f9] Fixed CVE-2008-4769: Sanitize "cat" query var and cast to
int before looking for a category template
* [711274f] Fixed CVE-2008-4796: missing input sanitising in embedded
copy of Snoopy.class.php (Closes: #504234)
* [17c72c0] Fixed CVE-2008-6762: Force redirect after an upgrade
(Closes: #531736)
* [88d8244] Fixed CVE-2008-6767: Only admin can upgrade wordpress.
(Closes: #531736)
* [d5c02a9] Fixed CVE-2009-2334 and CVE-2009-2854: Added some CYA cap checks
(Closes: #536724)
* [80e9dbd] Fixed CVE-2008-5113: Force REQUEST to be GET + POST. If
SERVER, COOKIE, or ENV are needed, use those superglobals directly.
(Closes: #504771)
* [7f577ca] Fixed CVE-2009-2851: Sanitize HTML URLs in author comments
* [f23d55f] Fixed CVE-2009-2853: Stop direct loading of files in wp-admin
that should only be included
Files:
d9389cbc71eee6f08b15762a97c9d537 607 web optional wordpress_2.0.10-1etch4.dsc
45349b0822fc376b8cfef51b5cec3510 50984 web optional
wordpress_2.0.10-1etch4.diff.gz
71a6aea482d0e7afb9c82701bef336e9 521060 web optional
wordpress_2.0.10-1etch4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqN5KUACgkQ62zWxYk/rQf2XgCdFV8GR2K1YxsS+LI4qrIQVc+z
FXQAoKs1Tt+JiOHxEEM61EeSOwUpUPhw
=kQoV
-----END PGP SIGNATURE-----
--- End Message ---
