Debian Bug report logs - #504243
CVE-2008-1502: _bad_protocol_once function in KSES allows remote attackers to conduct XSS attacks

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Sun, 2 Nov 2008 02:48:02 UTC

Severity: grave

Tags: security

Found in version wordpress/2.0.10-1etch3

Fixed in versions wordpress/2.5.0-1, wordpress/2.0.10-1etch4

Done: Giuseppe Iuculano <giuseppe@iuculano.it>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#504243; Package wordpress. (Sun, 02 Nov 2008 02:48:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2008-1502: _bad_protocol_once function in KSES allows remote attackers to conduct XSS attacks
Date: Sat, 1 Nov 2008 20:40:32 -0600
[Message part 1 (text/plain, inline)]
Package: wordpress
Severity: grave
Version: 2.0.10-1etch3
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was published for 
KSES, which affects the embedded copy shipped in wordpress[0].

CVE-2008-1502[1]:
> The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES,
> as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other
> products, allows remote attackers to bypass HTML filtering and conduct
> cross-site scripting (XSS) attacks via a string containing crafted URL
> protocols.

It should be possible to either backport the patch from wordpress in lenny/sid 
or from moodle in sid.

If you fix the vulnerability please also make sure to include the CVE id in 
the changelog entry.

[0] usr/share/wordpress/wp-includes/kses.php
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1502
     http://security-tracker.debian.net/tracker/CVE-2008-1502

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#504243; Package wordpress. (Mon, 19 Jan 2009 18:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to jidanni@jidanni.org:
Extra info received and forwarded to list. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>. (Mon, 19 Jan 2009 18:54:02 GMT) Full text and rfc822 format available.

Message #8 received at 504243@bugs.debian.org (full text, mbox):

From: jidanni@jidanni.org
To: 504243@bugs.debian.org
Cc: security@debian.org
Subject: WordPress < 2.6.5
Date: Tue, 20 Jan 2009 02:53:11 +0800
All I know is
$ grep wp_version\ = /usr/share/wordpress/wp-includes/version.php
$wp_version = '2.6.2';
And http://www.dreamhoststatus.com/2009/01/15/outdated-wordpress-reminder/ :
Very shortly we will begin sending out emails to customers with outdated
WordPress installations, asking them to upgrade to the most recent available:
2.7. Versions older than 2.6.5 are known to have vulnerabilities that can be
exploited for many purposes including defacing your websites, writing arbitrary
data to the filesystem under your user (including other domains without
WordPress), sending spam, running phishing scams, and various other prohibited
or illegal activity. If you are running an older version of WordPress, please
upgrade as soon as possible.




Information forwarded to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#504243; Package wordpress. (Mon, 19 Jan 2009 22:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>. (Mon, 19 Jan 2009 22:24:02 GMT) Full text and rfc822 format available.

Message #13 received at 504243@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: jidanni@jidanni.org
Cc: 504243@bugs.debian.org, security@debian.org
Subject: Re: WordPress < 2.6.5
Date: Mon, 19 Jan 2009 23:21:03 +0100
[Message part 1 (text/plain, inline)]
Hi,
* jidanni@jidanni.org <jidanni@jidanni.org> [2009-01-19 22:14]:
$ grep wp_version\ = /usr/share/wordpress/wp-includes/version.php
$wp_version = '2.6.2';
[...] 
> 2.7. Versions older than 2.6.5 are known to have vulnerabilities that can be
> exploited for many purposes including defacing your websites, writing arbitrary
> data to the filesystem under your user (including other domains without
> WordPress), sending spam, running phishing scams, and various other prohibited
> or illegal activity. If you are running an older version of WordPress, please
> upgrade as soon as possible.

We are currently not aware of any vulnerability with the 
impact you described above. As you are referring to 
unstable, currently unstable suffers of fixes for the 
following CVE ids:

CVE-2008-5695 (wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 ...)
    - wordpress <unfixed> (low)
CVE-2008-XXXX [possible script injection via /etc/wordpress/wp-config.php]
    - wordpress <unfixed> (bug #500295; unimportant)
CVE-2008-0195 (WordPress 2.0.11 and earlier allows remote attackers to obtain ...)
    - wordpress <unfixed> (unimportant)
CVE-2008-0191 (WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive ...)
    - wordpress <unfixed> (unimportant)
CVE-2006-4743 (WordPress 2.0.2 through 2.0.5 allows remote attackers to obtain ...)
    - wordpress <unfixed> (unimportant)
CVE-2006-3390 (WordPress 2.0.3 allows remote attackers to obtain the installation ...)
    - wordpress <unfixed> (unimportant)
CVE-2006-3389 (index.php in WordPress 2.0.3 allows remote attackers to obtain ...)
    - wordpress <unfixed> (unimportant)
CVE-2006-0733 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in WordPress ...)
    - wordpress <unfixed> (unimportant)

As you see all of the unfixed issues except CVE-2008-5695 are marked as unimportant
by members of the security team (this data is taken from the security tracker[0]) and
none of these have the impact you described.
CVE-2008-5695 leads to code execution but not for random attackers but only for
administrator and editor users which is why the impact is rated as low.


So if you want to be helpful please provide us detailed information about your
claims and please don't abuse a bug affecting only stable to report your
problem.

[0] http://security-tracker.debian.net/

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#504243; Package wordpress. (Mon, 19 Jan 2009 23:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to jidanni@jidanni.org:
Extra info received and forwarded to list. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>. (Mon, 19 Jan 2009 23:00:02 GMT) Full text and rfc822 format available.

Message #18 received at 504243@bugs.debian.org (full text, mbox):

From: jidanni@jidanni.org
To: nion@debian.org
Cc: 504243@bugs.debian.org, security@debian.org
Subject: Re: WordPress < 2.6.5
Date: Tue, 20 Jan 2009 06:58:13 +0800
All I know is following this path
http://www.dreamhoststatus.com/2009/01/15/outdated-wordpress-reminder/
http://secunia.com/advisories/search/?search=wordpress
http://secunia.com/advisories/32882/
http://secunia.com/advisories/cve_reference/CVE-2008-5278/
We see ...for WordPress before 2.6.5...
But http://security-tracker.debian.net/tracker/CVE-2008-5278
says unstable 2.6.2 is not vulnerable. OK, you win. Sorry.




Bug Marked as fixed in versions wordpress/2.5.0-1. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Mon, 10 Aug 2009 20:39:10 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Sat, 15 Aug 2009 11:33:02 GMT) Full text and rfc822 format available.

Reply sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility. (Sun, 23 Aug 2009 14:33:05 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Sun, 23 Aug 2009 14:33:05 GMT) Full text and rfc822 format available.

Message #27 received at 504243-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 504243-close@bugs.debian.org
Subject: Bug#504243: fixed in wordpress 2.0.10-1etch4
Date: Sun, 23 Aug 2009 14:03:08 +0000
Source: wordpress
Source-Version: 2.0.10-1etch4

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.0.10-1etch4.diff.gz
  to pool/main/w/wordpress/wordpress_2.0.10-1etch4.diff.gz
wordpress_2.0.10-1etch4.dsc
  to pool/main/w/wordpress/wordpress_2.0.10-1etch4.dsc
wordpress_2.0.10-1etch4_all.deb
  to pool/main/w/wordpress/wordpress_2.0.10-1etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 504243@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Aug 2009 11:58:32 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.0.10-1etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 wordpress  - an award winning weblog manager
Closes: 491846 500115 504234 504243 504771 531736 531736 536724
Changes: 
 wordpress (2.0.10-1etch4) oldstable-security; urgency=high
 .
   * [2ef79dd] Removed 010CVE2008-0664.patch, it caused a regression and
     wordpress 2.0.10 isn't affected by CVE-2008-0664. (Closes: #491846)
   * [abbabe9] Fixed CVE-2008-1502 _bad_protocol_once function in KSES
     allows remote attackers to conduct XSS attacks (Closes: #504243)
   * [e8a73eb] Fixed CVE-2008-4106: Whitespaces in user name are now
     checked during login. (Closes: #500115)
   * [8a2e4f9] Fixed CVE-2008-4769: Sanitize "cat" query var and cast to
     int before looking for a category template
   * [711274f] Fixed CVE-2008-4796: missing input sanitising in embedded
     copy of Snoopy.class.php (Closes: #504234)
   * [17c72c0] Fixed CVE-2008-6762: Force redirect after an upgrade
     (Closes: #531736)
   * [88d8244] Fixed CVE-2008-6767: Only admin can upgrade wordpress.
     (Closes: #531736)
   * [d5c02a9] Fixed CVE-2009-2334 and CVE-2009-2854: Added some CYA cap checks
     (Closes: #536724)
   * [80e9dbd] Fixed CVE-2008-5113: Force REQUEST to be GET + POST.  If
     SERVER, COOKIE, or ENV are needed, use those superglobals directly.
     (Closes: #504771)
   * [7f577ca] Fixed CVE-2009-2851: Sanitize HTML URLs in author comments
   * [f23d55f] Fixed CVE-2009-2853: Stop direct loading of files in wp-admin
     that should only be included
Files: 
 d9389cbc71eee6f08b15762a97c9d537 607 web optional wordpress_2.0.10-1etch4.dsc
 45349b0822fc376b8cfef51b5cec3510 50984 web optional wordpress_2.0.10-1etch4.diff.gz
 71a6aea482d0e7afb9c82701bef336e9 521060 web optional wordpress_2.0.10-1etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqN5KUACgkQ62zWxYk/rQf2XgCdFV8GR2K1YxsS+LI4qrIQVc+z
FXQAoKs1Tt+JiOHxEEM61EeSOwUpUPhw
=kQoV
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 21 Sep 2009 07:42:51 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 19:20:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.