Debian Bug report logs -
#689031
wordpress: CVE-2012-4448
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 28 Sep 2012 13:51:01 UTC
Severity: important
Tags: security
Fixed in versions wordpress/3.5.1+dfsg-2, 3.5.1+dfsg-2
Done: Henri Salo <henri@nerv.fi>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#689031; Package wordpress.
(Fri, 28 Sep 2012 13:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giuseppe Iuculano <iuculano@debian.org>.
(Fri, 28 Sep 2012 13:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Severity: important
Tags: security
Justification: user security hole
This was assigned CVE-2012-4448:
http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html
https://bugzilla.redhat.com/show_bug.cgi?id=860261
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#689031; Package wordpress.
(Tue, 16 Oct 2012 19:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>.
(Tue, 16 Oct 2012 19:06:03 GMT) (full text, mbox, link).
Message #10 received at 689031@bugs.debian.org (full text, mbox, reply):
I got this information from WordPress team member: "We've internally classified this CSRF as not critical because of the limited impact; it cannot lead to XSS or anything that amounts to much more than comment spam."
How do you think we should proceed?
More references:
https://bugs.gentoo.org/show_bug.cgi?id=436198
https://secunia.com/advisories/50715/
http://osvdb.org/85731
- Henri Salo
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#689031; Package wordpress.
(Tue, 16 Oct 2012 20:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>.
(Tue, 16 Oct 2012 20:45:04 GMT) (full text, mbox, link).
Message #15 received at 689031@bugs.debian.org (full text, mbox, reply):
Hi,
On Tue, 16 Oct 2012, Henri Salo wrote:
> How do you think we should proceed?
We're going to wait for a patch? Hasn't this been fixed for the upcoming
3.5 release?
If yes, we should be able to extract the patch from SVN (or directly
update to 3.5 when it's available).
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#689031; Package wordpress.
(Tue, 02 Apr 2013 08:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>.
(Tue, 02 Apr 2013 08:39:04 GMT) (full text, mbox, link).
Message #20 received at 689031@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
CVE-2012-4448 has been fixed in 3.5 or in 3.5.1. I don't have so much time that
I would start installing multiple old versions. Using PoC[1] in 3.5.1
installation I don't get any changes using normal RSS-feed URL nor file
location. When using 3.3.2+dfsg-1~squeeze1 and <input name="widget-rss[1][url]"
type="hidden" value="http://www.debian.org/security/dsa" />
I get view, which you can see in attached PNG to administrator-panel and those
saying-links are the same as in the RSS-feed. News for 3.5.1 says, which might
be related to fixing this issue:
"""
A server-side request forgery vulnerability and remote port scanning using
pingbacks. This vulnerability, which could potentially be used to expose
information and compromise a site, affects all previous WordPress versions. This
was fixed by the WordPress security team. We’d like to thank security
researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
"""
Only way to exploit this would be to get logged in admin visit CSRF page with
malicious RSS-feed. After that someone needs to click those links or some users
of WordPress might include this information to their web-pages (not default).
PHP function fopen is used to fetch RSS-feeds. As per this fast analysis I'd say
this is VERY minor issue in Debian and fixed in wheezy.
1: https://bugzilla.redhat.com/show_bug.cgi?id=860261#c1
---
Henri Salo
[CVE-2012-4448.png (image/png, attachment)]
[signature.asc (application/pgp-signature, inline)]
Marked as fixed in versions wordpress/3.5.1+dfsg-2.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Tue, 02 Apr 2013 08:45:04 GMT) (full text, mbox, link).
Reply sent
to Henri Salo <henri@nerv.fi>:
You have taken responsibility.
(Tue, 02 Apr 2013 08:45:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Tue, 02 Apr 2013 08:45:08 GMT) (full text, mbox, link).
Message #27 received at 689031-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 3.5.1+dfsg-2
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#689031; Package wordpress.
(Tue, 02 Apr 2013 11:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>.
(Tue, 02 Apr 2013 11:18:05 GMT) (full text, mbox, link).
Message #32 received at 689031@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.8) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/689031/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 01 May 2013 07:26:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:55:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon
