Debian Bug report logs - #500115
CVE-2008-4106: WordPress allows remote attackers to change an arbitrary user's password to a random value

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Thu, 25 Sep 2008 08:57:09 UTC

Severity: grave

Tags: security

Found in version wordpress/2.0.10-1

Fixed in version wordpress/2.5.1-8

Done: Andrea De Iacovo <andrea.de.iacovo@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#500115; Package wordpress. (Thu, 25 Sep 2008 08:57:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>. (Thu, 25 Sep 2008 08:57:12 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: submit@bugs.debian.org
Subject: CVE-2008-4106: WordPress allows remote attackers to change an arbitrary user's password to a random value
Date: Thu, 25 Sep 2008 10:56:29 +0200
Package: wordpress
Version: 2.0.10-1
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.

CVE-2008-4106[0]:
| WordPress before 2.6.2 does not properly handle MySQL warnings about
| insertion of username strings that exceed the maximum column width
| of the user_login column, and does not properly handle space
| characters when comparing usernames, which allows remote attackers
| to change an arbitrary user's password to a random value by
| registering a similar username and then requesting a password reset,
| related to a "SQL column truncation vulnerability." NOTE: the
| attacker can discover the random password by also exploiting
| CVE-2008-4107. 

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4106
    http://security-tracker.debian.net/tracker/CVE-2008-4106




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#500115; Package wordpress. (Thu, 25 Sep 2008 18:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Extra info received and forwarded to list. (Thu, 25 Sep 2008 18:12:03 GMT) Full text and rfc822 format available.

Message #10 received at 500115@bugs.debian.org (full text, mbox):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
To: 500115@bugs.debian.org
Subject: Re: Bug#500115: CVE-2008-4106: WordPress allows remote attackers to change an arbitrary user's password to a random value
Date: Thu, 25 Sep 2008 20:08:30 +0200
[Message part 1 (text/plain, inline)]
> Package: wordpress
> Version: 2.0.10-1
> Severity: grave
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for wordpress.
> 
> CVE-2008-4106[0]:
> | WordPress before 2.6.2 does not properly handle MySQL warnings about
> | insertion of username strings that exceed the maximum column width
> | of the user_login column, and does not properly handle space
> | characters when comparing usernames, which allows remote attackers
> | to change an arbitrary user's password to a random value by
> | registering a similar username and then requesting a password reset,
> | related to a "SQL column truncation vulnerability." NOTE: the
> | attacker can discover the random password by also exploiting
> | CVE-2008-4107. 
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4106
>     http://security-tracker.debian.net/tracker/CVE-2008-4106
> 
> 

I prepared a new package and now I'm waiting for my sponsor to upload
it.

Thank you for reporting.

Regards.

Andrea De Iacovo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
You have taken responsibility. (Mon, 29 Sep 2008 18:00:07 GMT) Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. (Mon, 29 Sep 2008 18:00:07 GMT) Full text and rfc822 format available.

Message #15 received at 500115-close@bugs.debian.org (full text, mbox):

From: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
To: 500115-close@bugs.debian.org
Subject: Bug#500115: fixed in wordpress 2.5.1-8
Date: Mon, 29 Sep 2008 17:47:04 +0000
Source: wordpress
Source-Version: 2.5.1-8

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.5.1-8.diff.gz
  to pool/main/w/wordpress/wordpress_2.5.1-8.diff.gz
wordpress_2.5.1-8.dsc
  to pool/main/w/wordpress/wordpress_2.5.1-8.dsc
wordpress_2.5.1-8_all.deb
  to pool/main/w/wordpress/wordpress_2.5.1-8_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 500115@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrea De Iacovo <andrea.de.iacovo@gmail.com> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 25 Sep 2008 17:02:47 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.5.1-8
Distribution: unstable
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Description: 
 wordpress  - weblog manager
Closes: 500115
Changes: 
 wordpress (2.5.1-8) unstable; urgency=high
 .
   * Added 009CVE2008-4106 patch. (Closes: #500115)
     Whitespaces in user name are now checked during login.
     It's not possible to register an "admin(n-whitespaces)" user anymore
     to gain unauthorized access to the admin panel.
Checksums-Sha1: 
 ddcd32a0c62f44ddcd8aeddb9ea3589e35bfcc9a 1311 wordpress_2.5.1-8.dsc
 d46ab90741cd29130132501de46c4184b78947f6 696271 wordpress_2.5.1-8.diff.gz
 e9c1893007224f096207b4a665dede19236f275e 1040448 wordpress_2.5.1-8_all.deb
Checksums-Sha256: 
 2ea559a1c1fe59970cf6b651821efd63691429b0ea4506c0ca554a377fd9f27a 1311 wordpress_2.5.1-8.dsc
 d620a239cd29c0d50e81b62275266758d27adbe9b74cfff6d7da0feea37a1e18 696271 wordpress_2.5.1-8.diff.gz
 4582c2b54dab7684d9e494d5a85a6c666ff82bd0751517daa77fdc7e12711904 1040448 wordpress_2.5.1-8_all.deb
Files: 
 ea1d8008d61d87a6162c52865a711728 1311 web optional wordpress_2.5.1-8.dsc
 15993dd241ed5cb18bb81a07ffc53b97 696271 web optional wordpress_2.5.1-8.diff.gz
 747a09ad403374f7876c7edc38f90546 1040448 web optional wordpress_2.5.1-8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJI4RIYAAoJEGz0hbPcukPfZmQH/3I2aVoWjpQTYsrtrpLsgqkn
ViEO32aVazRJc5C0SKubb4JFnVdwDSpJU7dzypUesc3lEfNoQg0tx9WBLDKI72cp
ueCVWybAtS3dboYNIENcGJ9VttMN7DE44Rumcz5n0BXujGy97oXKjgwMXQO3ZGpW
s9X4OlUR+soEkF/wGFsXlt1GRaEeYLsBQ5np+kg/gUleoNeex+7hXmRi+0VQdern
ul5abAhVfXACsFdLxDE1aE3DLKh8qOnvAXupWZddp/IclVtC/W+b1AIsz5v7LC/S
0bdSVQZwh++c8zQzs/7IEWB3sy7/W+dqTDE3938aiTWYOJp3XlNst4AFGO5Ipk8=
=rvSn
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Feb 2009 07:48:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 07:12:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.