Debian Bug report logs - #437085
CVE-2007-1599: wp-login.php allows remote attackers to redirect authenticated users to other websites

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 10 Aug 2007 11:27:01 UTC

Severity: minor

Fixed in versions wordpress/2.0.10-1etch3, 2.2.2-1

Done: Giuseppe Iuculano <giuseppe@iuculano.it>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#437085; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: several CVEs against wordpress
Date: Fri, 10 Aug 2007 21:23:42 +1000
Package: wordpress
Severity: important

Hi

There are three CVE numbers[0][1][2] issued for wordpress.
Unfortunately, they do not tell me a lot. Can you maybe have a look at
them and checkout, if they affect the current debian versions?

The three texts say:


CVE-2007-1599:

wp-login.php in WordPress allows remote attackers to redirect
authenticated users to other websites and potentially obtain sensitive
information via the redirect_to parameter.



CVE-2007-2627:

Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress,
when custom 404 pages that call get_sidebar are used, allows remote
attackers to inject arbitrary web script or HTML via the query string
(PHP_SELF), a different vulnerability than CVE-2007-1622.



CVE-2007-3238:

Cross-site scripting (XSS) vulnerability in functions.php in the default
theme in WordPress 2.2 allows remote authenticated administrators to
inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to
wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE:
this might not cross privilege boundaries in some configurations, since
the Administrator role has the unfiltered_html capability.


Please also note the CVE numbers in the changelog, if you should decide
to include fixes.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1599

[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2627

[2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3238



Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#437085; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to hendry@iki.fi:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #10 received at 437085@bugs.debian.org (full text, mbox):

From: "Kai Hendry" <kai.hendry@gmail.com>
To: 437085@bugs.debian.org
Subject: Fwd: http://wordpress.org/development/2007/06/wordpress-221/
Date: Fri, 10 Aug 2007 12:36:19 +0100
I am urging the security team to sponsor 2.0.11 into the stable archive.

As for testing/unstable and 2.2.2 has 2627 and 3238 fixed. 1599 is not
a priority.

---------- Forwarded message ----------
From: Mark Jaquith <mark.jaquith@txfx.net>
Date: Aug 3, 2007 10:05 PM
Subject: Re: http://wordpress.org/development/2007/06/wordpress-221/
To: hendry@iki.fi, Ryan Boren <ryan@boren.nu>


CVE-2007-0540 - This won't be fixed for this version.  It's a tricky
problem without an obvious solution.  It's low on the security ladder,
thankfully.

CVE-2007-1230 - This is rather vague, but the one I can glean from it
was already fixed in 2.0.10 - http://trac.wordpress.org/changeset/5058

CVE-2007-1244 - This is XSS, not CSRF.  It is fixed... likely in [5058]

CVE-2007-1599 - This won't be fixed for this version.  We are
discussing the issue.  It's not really an exploit so much as a very
slight Phishing aid, so it's not a huge priority.

CVE-2007-1732 - There is no such parameter -- the bug is inadequately described.

CVE-2007-2627 - This was fixed almost two years ago:
http://trac.wordpress.org/changeset/2884/trunk/wp-content/themes/default/searchform.php

CVE-2007-2821 - This will be fixed in 2.0.11 (
http://trac.wordpress.org/changeset/5442 )

CVE-2007-3140 - Does not apply to 2.0.x branch

CVE-2007-3238 - This will be fixed in 2.0.11 (
http://trac.wordpress.org/changeset/5680/branches/2.0/wp-content/themes/default/functions.php
)

On 8/3/07, Kai Hendry <kai.hendry@gmail.com> wrote:
> http://security-tracker.debian.net/tracker/source-package/wordpress
>
> I'm having trouble tracking down these CVEs in Trac. :)
>
> I hope you can give me some pointers. Debian security and putting the
> screws in again!
>
>


--
Mark Jaquith
http://markjaquith.com/ | http://txfx.net/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/



Reply sent to Kai Hendry <hendry@iki.fi>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 437085-done@bugs.debian.org (full text, mbox):

From: Kai Hendry <hendry@iki.fi>
To: 437085-done@bugs.debian.org
Subject: closing
Date: Fri, 10 Aug 2007 12:47:36 +0100
Thanks for your concern Steffen.

I'll make more of an effort to mark the CVEs in the changelogs.



Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#437085; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #20 received at 437085@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 437085@bugs.debian.org
Subject: Re: Bug#437085 closed by Kai Hendry <hendry@iki.fi> (closing)
Date: Fri, 10 Aug 2007 21:58:16 +1000
[Message part 1 (text/plain, inline)]
Hi

Thanks for checking the wordpress package. Can you please tell me in which 
debian version the CVEs are fixed? This way I can mark them with the version 
number in our security tracker.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#437085; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #25 received at 437085@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: control@bugs.debian.org
Cc: 437085@bugs.debian.org
Subject: reopen until last CVE is closed :)
Date: Mon, 13 Aug 2007 21:00:09 +1000
[Message part 1 (text/plain, inline)]
reopen 437085
severity 437085 normal
thanks

Hi

Thanks for all the detailed information. I reopen the bugreport and set it to 
severity "normal" until CVE-2007-1599 is fixed. Hope this is ok with you :)

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Bug reopened, originator not changed. Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Mon, 13 Aug 2007 11:00:02 GMT) Full text and rfc822 format available.

Severity set to `normal' from `important' Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Mon, 13 Aug 2007 11:00:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#437085; Package wordpress. Full text and rfc822 format available.

Acknowledgement sent to hendry@iki.fi:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>. Full text and rfc822 format available.

Message #34 received at 437085@bugs.debian.org (full text, mbox):

From: "Kai Hendry" <kai.hendry@gmail.com>
To: "Steffen Joeris" <steffen.joeris@skolelinux.de>, 437085@bugs.debian.org
Subject: Re: Bug#437085: reopen until last CVE is closed :)
Date: Mon, 13 Aug 2007 12:05:23 +0100
Ok, though just to recall upstream's comments on this one:

CVE-2007-1599 - This won't be fixed for this version.  We are
discussing the issue.  It's not really an exploit so much as a very
slight Phishing aid, so it's not a huge priority.


So I might adjust the severity to minor.



Cheers,



Severity set to `minor' from `normal' Request was from Kai Hendry <hendry@iki.fi> to control@bugs.debian.org. (Mon, 13 Aug 2007 11:24:01 GMT) Full text and rfc822 format available.

Changed Bug title to `CVE-2007-1599: wp-login.php allows remote attackers to redirect authenticated users to other websites' from `several CVEs against wordpress'. Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Sun, 02 Nov 2008 01:57:02 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions wordpress/2.0.10-1etch3. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Sat, 15 Aug 2009 16:18:07 GMT) Full text and rfc822 format available.

Reply sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility. (Sat, 15 Aug 2009 16:18:09 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sat, 15 Aug 2009 16:18:09 GMT) Full text and rfc822 format available.

Message #45 received at 437085-done@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 437085-done@bugs.debian.org
Subject: fixed
Date: Sat, 15 Aug 2009 18:15:38 +0200
[Message part 1 (text/plain, inline)]
Version: 2.2.2-1

Fixed in wordpress 2.2.2-1

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 Sep 2009 07:45:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:18:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.