Debian Bug report logs -
#500295
possible script injection via /etc/wordpress/wp-config.php
Reported by: Raphael Geissert <atomo64@gmail.com>
Date: Sat, 27 Sep 2008 00:18:02 UTC
Severity: important
Tags: security
Found in versions wordpress/2.5.1-7, wordpress/2.0.10-1etch4, wordpress/2.8.4-1
Done: Giuseppe Iuculano <giuseppe@iuculano.it>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#500295; Package wordpress.
(Sat, 27 Sep 2008 00:18:04 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: wordpress
Version: 2.5.1-7
Severity: important
Tags: security
The file as found in 2.5.1-7 takes the HTTP_HOST and uses it to find the
config-<host>.php file to include.
This routine is prone to attacks by a local user via a especially crafted Host
header.
Feel free to increase the severity.
Cheers,
--
Atomo64 - Raphael
Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 2.0.10-1etch4.
Request was from Raphael Geissert <atomo64@gmail.com>
to control@bugs.debian.org.
(Sat, 27 Sep 2008 01:33:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#500295; Package wordpress.
(Sun, 28 Sep 2008 11:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Extra info received and forwarded to list.
(Sun, 28 Sep 2008 11:45:05 GMT) (full text, mbox, link).
Message #10 received at 500295@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Maybe you're right but the problem is still really not critical.
wp-config.php looks for something like /etc/wordpress/config-$host.php
so my question is: if someone has unauthorized and maliciuos access
to /etc/wordpress (or, maybe, to /etc/*?) is it a wordpress problem?
However I'll try to find a better way to look for the correct
configuration file: maybe reading a local list of authorized config
files?
Thank you for reporting.
Cheers.
Andrea De Iacovo
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#500295; Package wordpress.
(Sun, 30 Nov 2008 18:48:03 GMT) (full text, mbox, link).
Message #13 received at 500295@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Sunday 28 September 2008, Andrea De Iacovo wrote:
> Hi
>
> Maybe you're right but the problem is still really not critical.
> wp-config.php looks for something like /etc/wordpress/config-$host.php
> so my question is: if someone has unauthorized and maliciuos access
> to /etc/wordpress (or, maybe, to /etc/*?) is it a wordpress problem?
Based on what just happened with the XSS vuln via HTTP_HOST in the RSS feeds
I'd say yes.
Although like I mentioned the other day in IRC, I think it is more a bug on
apache than on wordpress or php itself.
>
> However I'll try to find a better way to look for the correct
> configuration file: maybe reading a local list of authorized config
> files?
> $debian_server = preg_replace('/:.*/', "", $_SERVER['HTTP_HOST']);
> $debian_file =
> '/etc/wordpress/config-'.strtolower($debian_server).'.php';
$allowed_paths = array('/etc/wordpress/');
if (!in_array(dirname(realpath($debian_file)), $allowed_paths))
die("The config file for the specified host is not under an allowed path");
>
> Thank you for reporting.
>
> Cheers.
>
> Andrea De Iacovo
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Andrea De Iacovo <andrea.de.iacovo@gmail.com>:
Bug#500295; Package wordpress.
(Sat, 15 Aug 2009 17:30:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Andrea De Iacovo <andrea.de.iacovo@gmail.com>.
(Sat, 15 Aug 2009 17:30:11 GMT) (full text, mbox, link).
Message #18 received at 500295@bugs.debian.org (full text, mbox, reply):
tags 500295 +pending
thanks
Hello,
The following change has been committed for this bug by
Giuseppe Iuculano <giuseppe@iuculano.it> on Sat, 15 Aug 2009 19:19:02 +0200.
The fix will be in the next upload.
=========================================================================
debian/wp-config.php: check if $debian_file is under /etc/wordpress and mitigate a possible script injection via /etc/wordpress/wp-config.php (Closes: #500295)
=========================================================================
You can check the diff of the fix at:
http://git.debian.org/?p=users/derevko-guest/wordpress.git;a=commitdiff;h=cf78bf5
Added tag(s) pending.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Sat, 15 Aug 2009 17:30:12 GMT) (full text, mbox, link).
Message sent on
to Raphael Geissert <atomo64@gmail.com>:
Bug#500295.
(Sat, 15 Aug 2009 17:30:15 GMT) (full text, mbox, link).
Reply sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility.
(Tue, 18 Aug 2009 07:39:17 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer.
(Tue, 18 Aug 2009 07:39:17 GMT) (full text, mbox, link).
Message #28 received at 500295-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 2.8.4-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.8.4-1.diff.gz
to pool/main/w/wordpress/wordpress_2.8.4-1.diff.gz
wordpress_2.8.4-1.dsc
to pool/main/w/wordpress/wordpress_2.8.4-1.dsc
wordpress_2.8.4-1_all.deb
to pool/main/w/wordpress/wordpress_2.8.4-1_all.deb
wordpress_2.8.4.orig.tar.gz
to pool/main/w/wordpress/wordpress_2.8.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 500295@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 18 Aug 2009 08:28:23 +0200
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.8.4-1
Distribution: unstable
Urgency: low
Maintainer: Giuseppe Iuculano <giuseppe@iuculano.it>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description:
wordpress - weblog manager
Closes: 500295 504242 517969 541371
Changes:
wordpress (2.8.4-1) unstable; urgency=low
.
* [5f0812d] Imported Upstream version 2.8.4
* [e1ea94b] Switch to quilt
* [cf8904e] Removed Andrea De Iacovo from Maintainer field, thanks
Andrea for the prior work on wordpress!
* [6013bd8] Removed 007_REQUEST.patch, upstream already fixed CVE-2008-5113
in a better way
* [8da39ea] Removed 004languages.patch, it contains outdated languages
files
* [d5696ea] debian/control: Updated Vcs control field
* [89316e0] debian/rules: Comment the DH_VERBOSE export
* [cf78bf5] debian/wp-config.php: check if $debian_file is under
/etc/wordpress and mitigate a possible script injection via
/etc/wordpress/wp-config.php. Thanks to Raphael Geissert (Closes: #500295)
* [ece1c25] debian/get-upstream-i18n: Do not remove outdated language
files by default
* [59547a2] Do not embed tinymce, php-gettext and cropper. (Closes: #504242)
* [848828d] debian/postinst: Create the symlinks manually, dpkg
doesn't replace directories with symlinks. (Closes: #517969)
* [2af4aea] debian/patches/009CVE2008-6767.patch: Grant upgrade
privilege to all admin users. Thanks to Ivan Warren (Closes: #541371)
* [46e8f2b] debian/control: Removed the sentence about the French
language support, now there are a lot of language files
* [fcd94c6] debian/control: Remove outdated packages from Depends,
Suggests, and Conflicts
* [9c28177] Updated to standards version 3.8.3 (No changes needed)
* [700156e] Added a README.source (Debian Policy Manual section 4.14)
* [13a98d5] Updated language files
* [a86b72a] Do not install readme.html in doc, it doesn't contain any
relevant information for Debian users
* [25d4e8e] Updated copyright file
Checksums-Sha1:
9f680520b7ccce61a4401ddd837d6a59efd558d9 1216 wordpress_2.8.4-1.dsc
af9a37283b25f26a3a3aa3a7c5db23222e18e0fc 2078669 wordpress_2.8.4.orig.tar.gz
8bc994e83640e36f9a739486e84bd218f7d64dd4 3852042 wordpress_2.8.4-1.diff.gz
a1e482c65537ae3d273e0fa425720ee8cd307bda 5310848 wordpress_2.8.4-1_all.deb
Checksums-Sha256:
397e00f684a67dfa6af21fb4b5615cb36e3323e53e8bc0b28f84e906d586316a 1216 wordpress_2.8.4-1.dsc
5b08259749facb38a2209008e227f66c85e178fd502b7fdd5f39c2676d14ab6b 2078669 wordpress_2.8.4.orig.tar.gz
ef632f66bc68092581801e346dfd60fdd88d63b7fffbaa67a8cc9243fb8e4347 3852042 wordpress_2.8.4-1.diff.gz
be09c3b0018944f7ab9ae882248c38ad3ddbaf6db155267d81736967ec3fd39b 5310848 wordpress_2.8.4-1_all.deb
Files:
1428107568ad72c487fca54640b441ca 1216 web optional wordpress_2.8.4-1.dsc
0e8b296d4e2d4189b349f1d0f727bd98 2078669 web optional wordpress_2.8.4.orig.tar.gz
18914f430c325e358d6ec2d289cc1cb2 3852042 web optional wordpress_2.8.4-1.diff.gz
484ea91b14988e0611df7173c8d3a80c 5310848 web optional wordpress_2.8.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqKTnQACgkQNxpp46476apxpQCeIvJ//6U6kqMy7rezZZMGJoGj
O0IAn0kbHE5wyCH6CWj7Ak1WFlWXuBUk
=+7wh
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug#500295; Package wordpress.
(Thu, 20 Aug 2009 21:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthew Carroll <m@tthew.org.uk>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <giuseppe@iuculano.it>.
(Thu, 20 Aug 2009 21:51:03 GMT) (full text, mbox, link).
Message #33 received at 500295@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 2.8.4-1
Followup-For: Bug #500295
This upgrade broke all of our wordpress instances, as the config files for each
site are sym-linked from /etc/wordpress to separate locations for each site.
Perhaps there is a better way of fixing this injection vulnerability that still
allows sym-linked config files? If not, then at a minimum users should be
notified of the change before the upgrade (news?) so breakages can be avoided.
Thanks
Matthew
-- System Information:
Debian Release: 5.0.2
APT prefers stable
APT policy: (990, 'stable'), (700, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.ISO-8859-15, LC_CTYPE=en_US.ISO-8859-15 (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages wordpress depends on:
ii apache2 2.2.9-10+lenny4 Apache HTTP Server metapackage
ii apache2-mpm-prefor 2.2.9-10+lenny4 Apache HTTP Server - traditional n
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii libjs-cropper 1.2.0-1 JavaScript image cropper UI
ii libjs-jquery 1.2.6-2 JavaScript library for dynamic web
ii libjs-prototype 1.6.0.2-4 JavaScript Framework for dynamic w
ii libjs-scriptaculou 1.8.1-5 JavaScript library for dynamic web
ii libphp-phpmailer 1.73-6 full featured email transfer class
ii libphp-snoopy 1.2.4-1 Snoopy is a PHP class that simulat
ii mysql-client 5.0.51a-24+lenny1 MySQL database client (metapackage
ii mysql-client-5.0 [ 5.0.51a-24+lenny1 MySQL database client binaries
ii php-gettext 1.0.7-6 read gettext MO files directly, wi
ii php5 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5-gd 5.2.6.dfsg.1-1+lenny3 GD module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny3 MySQL module for php5
ii tinymce 3.2.1.1-0.1 platform independent web based Jav
wordpress recommends no packages.
Versions of packages wordpress suggests:
ii mysql-server 5.0.51a-24+lenny1 MySQL database server (metapackage
ii mysql-server-5.0 [mysq 5.0.51a-24+lenny1 MySQL database server binaries
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#500295; Package wordpress.
(Wed, 26 Aug 2009 12:52:32 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list.
(Wed, 26 Aug 2009 12:52:32 GMT) (full text, mbox, link).
Message #38 received at 500295@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Matthew Carroll ha scritto:
> This upgrade broke all of our wordpress instances, as the config files for each
> site are sym-linked from /etc/wordpress to separate locations for each site.
>
> Perhaps there is a better way of fixing this injection vulnerability that still
> allows sym-linked config files? If not, then at a minimum users should be
> notified of the change before the upgrade (news?) so breakages can be avoided.
I will add a note about that in NEWS and README.Debian.
Cheers,
Giuseppe.
[signature.asc (application/pgp-signature, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 24 Sep 2009 07:50:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:03:15 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon