Debian Bug report logs -
#485807
wordpress: CVE-2008-2392 Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier
Reported by: Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>
Date: Wed, 11 Jun 2008 15:48:01 UTC
Severity: important
Tags: security
Fixed in version wordpress/2.5.1-4
Done: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#485807; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>:
New Bug report received and forwarded. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>.
Your message had a Version: pseudo-header with an invalid package
version:
<= 2.5.1-3
please either use found or fixed to the control server with a correct
version, or reply to this report indicating the correct version so the
maintainer (or someone else) can correct it for you.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: wordpress
Version: <= 2.5.1-3
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for wordpress.
CVE-2008-2392[0]:
| Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier
| might allow remote authenticated administrators to upload and execute
| arbitrary PHP files via the Upload section in the Write Tabs area of
| the dashboard.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2392
http://security-tracker.debian.net/tracker/CVE-2008-2392
It seems that this bug is mentioned in wordpress as #7113 and
is fixed with the new svn revision 8068.
The diff for that can be viewed at:
http://trac.wordpress.org/attachment/ticket/7113/7113.2.diff
Kind regards,
Thomas.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#485807; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>.
(full text, mbox, link).
Message #10 received at 485807@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
first of all SORRY for my mistakes in the last mail.
The 'Version'-tag is not really correct. So, you can
ignore the '<=' :)
And, I am not 100% sure that the diff from the wordpress
trac system, I wrote, is the patch for the bug!
It seems so but I just had have only a quick look at it.
sorry,
Thomas.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#485807; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #15 received at 485807@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> Hi,
Hello and thank you for reporting the bug.
>
> first of all SORRY for my mistakes in the last mail.
No problem ;)
> And, I am not 100% sure that the diff from the wordpress
> trac system, I wrote, is the patch for the bug!
> It seems so but I just had have only a quick look at it.
Unfortunately it's not the right fix, and unfortunately there's not a
right fix fort this issue.
In version 2.3.1 (or something like that) the development team
introduced a new functionality in wordpress: administrators have the
right to upload anything they want whatever the file's mime type was.
This could be a great future if you're running a single blog with
wordpress but if you use wordpress to run multiple blogs on the same
machine (each one with his administrator) things are going to be not so
good.
I recently discussed the issue with security team and we decided it
should be better to remove the unrestricted upload functionality
mentioning this change in the NEWS file.
I've been a little busy this days but I think I'll provide the new
package within the weekend.
Thank you again.
Regards.
Andrea De Iacovo
[signature.asc (application/pgp-signature, inline)]
Reply sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Thomas Bläsing <thomasbl@pool.math.tu-berlin.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #20 received at 485807-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 2.5.1-4
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.5.1-4.diff.gz
to pool/main/w/wordpress/wordpress_2.5.1-4.diff.gz
wordpress_2.5.1-4.dsc
to pool/main/w/wordpress/wordpress_2.5.1-4.dsc
wordpress_2.5.1-4_all.deb
to pool/main/w/wordpress/wordpress_2.5.1-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 485807@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea De Iacovo <andrea.de.iacovo@gmail.com> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 14 Jun 2008 17:31:04 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.5.1-4
Distribution: unstable
Urgency: low
Maintainer: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Changed-By: Andrea De Iacovo <andrea.de.iacovo@gmail.com>
Description:
wordpress - weblog manager
Closes: 485807
Changes:
wordpress (2.5.1-4) unstable; urgency=low
.
* Added patch to fix unrestricted file upload vulnerability (Closes: #485807)
Now administrators can upload only files that are in the standard
mime-type set (Fixes CVE-2008-2392)
Checksums-Sha1:
d6efad6a05d3888ca535f04a2143ed9851e673b7 1311 wordpress_2.5.1-4.dsc
ee06a2913e2e4bf1f7726a67e760da69aa71fa5b 694386 wordpress_2.5.1-4.diff.gz
08ce30c3d5e015ef7af2b5b2e02adee93659e322 1038376 wordpress_2.5.1-4_all.deb
Checksums-Sha256:
07924bda2c2dd5f101ee65340267082761c205f0795e9bbadeb023a7d30e6d79 1311 wordpress_2.5.1-4.dsc
c08346452069434eea426dae7502b5e3f8d5663cf70fe3dff44a5b412917fab0 694386 wordpress_2.5.1-4.diff.gz
43e390691e0725f1aacd6f3af6fe057d02c7d6afd776cb35f0253bcec8754ea7 1038376 wordpress_2.5.1-4_all.deb
Files:
db68461591413ffe40798ca889fd09b1 1311 web optional wordpress_2.5.1-4.dsc
d3e15c430bcf5cd3a3d094757e912b7e 694386 web optional wordpress_2.5.1-4.diff.gz
145d5509ea4b4067dded3ebd7736ffe9 1038376 web optional wordpress_2.5.1-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJIU/gcAAoJEGz0hbPcukPfdOEH/1JhRIvlZsVrupDnqWJIt77N
Aer1nVfvho0h5kAtVRiD0BwprMw2q7nUjPrR2q2yYV57Uzijy7VZ0hsd55nR2ELS
F4baxzVQGJ/LVyxJuQyqzx8OdYTPsLSUXoKClMHluKtQCCcSHQb64NBHw6W971Zl
ONuRUhmxnQBrByYUbdxA+d2zkeA0OLtqeiF8mGDZiKVlyP7M4MqvMxvjZa2v8VT+
tAFm30ZP2mJNa4NV3Jbd1BUVc6pdjo+vcWTUvg8W63iZVd994PBu2I9FkowvVKKK
U9mizIoCqSQwbygZYvdUfCz+p4JWVFYzX24spYiv7UGLQr8pbYP7hBXEviElYF0=
=KJyu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 16 Jul 2008 07:26:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:50:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon