CVE-2007-1599: wp-login.php allows remote attackers to redirect authenticated users to other websites

Debian Bug report logs - #437085
CVE-2007-1599: wp-login.php allows remote attackers to redirect authenticated users to other websites

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: several CVEs against wordpress

Date: Fri, 10 Aug 2007 21:23:42 +1000

Package: wordpress
Severity: important

Hi

There are three CVE numbers[0][1][2] issued for wordpress.
Unfortunately, they do not tell me a lot. Can you maybe have a look at
them and checkout, if they affect the current debian versions?

The three texts say:


CVE-2007-1599:

wp-login.php in WordPress allows remote attackers to redirect
authenticated users to other websites and potentially obtain sensitive
information via the redirect_to parameter.



CVE-2007-2627:

Cross-site scripting (XSS) vulnerability in sidebar.php in WordPress,
when custom 404 pages that call get_sidebar are used, allows remote
attackers to inject arbitrary web script or HTML via the query string
(PHP_SELF), a different vulnerability than CVE-2007-1622.



CVE-2007-3238:

Cross-site scripting (XSS) vulnerability in functions.php in the default
theme in WordPress 2.2 allows remote authenticated administrators to
inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to
wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE:
this might not cross privilege boundaries in some configurations, since
the Administrator role has the unfiltered_html capability.


Please also note the CVE numbers in the changelog, if you should decide
to include fixes.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1599

[1]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2627

[2]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3238

Message #10 received at 437085@bugs.debian.org (full text, mbox, reply):

From: "Kai Hendry" <kai.hendry@gmail.com>

To: 437085@bugs.debian.org

Subject: Fwd: http://wordpress.org/development/2007/06/wordpress-221/

Date: Fri, 10 Aug 2007 12:36:19 +0100

I am urging the security team to sponsor 2.0.11 into the stable archive.

As for testing/unstable and 2.2.2 has 2627 and 3238 fixed. 1599 is not
a priority.

---------- Forwarded message ----------
From: Mark Jaquith <mark.jaquith@txfx.net>
Date: Aug 3, 2007 10:05 PM
Subject: Re: http://wordpress.org/development/2007/06/wordpress-221/
To: hendry@iki.fi, Ryan Boren <ryan@boren.nu>


CVE-2007-0540 - This won't be fixed for this version.  It's a tricky
problem without an obvious solution.  It's low on the security ladder,
thankfully.

CVE-2007-1230 - This is rather vague, but the one I can glean from it
was already fixed in 2.0.10 - http://trac.wordpress.org/changeset/5058

CVE-2007-1244 - This is XSS, not CSRF.  It is fixed... likely in [5058]

CVE-2007-1599 - This won't be fixed for this version.  We are
discussing the issue.  It's not really an exploit so much as a very
slight Phishing aid, so it's not a huge priority.

CVE-2007-1732 - There is no such parameter -- the bug is inadequately described.

CVE-2007-2627 - This was fixed almost two years ago:
http://trac.wordpress.org/changeset/2884/trunk/wp-content/themes/default/searchform.php

CVE-2007-2821 - This will be fixed in 2.0.11 (
http://trac.wordpress.org/changeset/5442 )

CVE-2007-3140 - Does not apply to 2.0.x branch

CVE-2007-3238 - This will be fixed in 2.0.11 (
http://trac.wordpress.org/changeset/5680/branches/2.0/wp-content/themes/default/functions.php
)

On 8/3/07, Kai Hendry <kai.hendry@gmail.com> wrote:
> http://security-tracker.debian.net/tracker/source-package/wordpress
>
> I'm having trouble tracking down these CVEs in Trac. :)
>
> I hope you can give me some pointers. Debian security and putting the
> screws in again!
>
>


--
Mark Jaquith
http://markjaquith.com/ | http://txfx.net/

Covered Web Services
http://coveredwebservices.com/

WordPress Ninja @ b5media Inc
http://b5media.com/

Message #15 received at 437085-done@bugs.debian.org (full text, mbox, reply):

From: Kai Hendry <hendry@iki.fi>

To: 437085-done@bugs.debian.org

Subject: closing

Date: Fri, 10 Aug 2007 12:47:36 +0100

Thanks for your concern Steffen.

I'll make more of an effort to mark the CVEs in the changelogs.

Message #20 received at 437085@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 437085@bugs.debian.org

Subject: Re: Bug#437085 closed by Kai Hendry <hendry@iki.fi> (closing)

Date: Fri, 10 Aug 2007 21:58:16 +1000

[Message part 1 (text/plain, inline)]

Hi

Thanks for checking the wordpress package. Can you please tell me in which 
debian version the CVEs are fixed? This way I can mark them with the version 
number in our security tracker.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 437085@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: control@bugs.debian.org

Cc: 437085@bugs.debian.org

Subject: reopen until last CVE is closed :)

Date: Mon, 13 Aug 2007 21:00:09 +1000

[Message part 1 (text/plain, inline)]

reopen 437085
severity 437085 normal
thanks

Hi

Thanks for all the detailed information. I reopen the bugreport and set it to 
severity "normal" until CVE-2007-1599 is fixed. Hope this is ok with you :)

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #34 received at 437085@bugs.debian.org (full text, mbox, reply):

From: "Kai Hendry" <kai.hendry@gmail.com>

To: "Steffen Joeris" <steffen.joeris@skolelinux.de>, 437085@bugs.debian.org

Subject: Re: Bug#437085: reopen until last CVE is closed :)

Date: Mon, 13 Aug 2007 12:05:23 +0100

Ok, though just to recall upstream's comments on this one:

CVE-2007-1599 - This won't be fixed for this version.  We are
discussing the issue.  It's not really an exploit so much as a very
slight Phishing aid, so it's not a huge priority.


So I might adjust the severity to minor.



Cheers,

Message #45 received at 437085-done@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: 437085-done@bugs.debian.org

Subject: fixed

Date: Sat, 15 Aug 2009 18:15:38 +0200

[Message part 1 (text/plain, inline)]

Version: 2.2.2-1

Fixed in wordpress 2.2.2-1

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.