Debian Bug report logs -
#328909
wordpress: CSS Security Vulnerability
Reported by: Noam Rathaus <noamr@beyondsecurity.com>
Date: Sun, 18 Sep 2005 06:48:02 UTC
Severity: minor
Found in version wordpress/1.5.2-1
Fixed in version wordpress/2.0.1-1
Done: Kai Hendry <hendry@iki.fi>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#328909; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Noam Rathaus <noamr@beyondsecurity.com>:
New Bug report received and forwarded. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Version: 1.5.2-1
Severity: normal
A cross site scripting vulnerability exists in Wordpress, the vulnerability
manifests itself only when viewed by IE, as Mozilla converts < in the URL to
<
I attached a patch to resolve this issue.
# diff
-u /tmp/template-functions-links.php.orig /usr/share/wordpress/wp-includes/template-functions-links.php
--- /tmp/template-functions-links.php.orig 2005-09-18 06:18:54.000000000
+0000
+++ /usr/share/wordpress/wp-includes/template-functions-links.php
2005-09-18 06:20:23.000000000 +0000
@@ -353,6 +353,17 @@
global $wp_rewrite;
$qstr = $_SERVER['REQUEST_URI'];
+ $replacement = array ('"', // Replace HTML entities
+ '&',
+ '<',
+ '>');
+
+ $pattern = array ('/"/',
+ '/&/',
+ '/</',
+ '/>/');
+
+ $qstr = preg_replace($pattern, $replacement, $qstr);
$page_querystring = "paged";
$page_modstring = "page/";
@@ -489,4 +500,4 @@
}
}
-?>
\ No newline at end of file
+?>
-- System Information:
Debian Release: 3.1
Architecture: i386 (x86_64)
Kernel: Linux 2.6.11.6-RH1956
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages wordpress depends on:
ii apache [httpd] 1.3.33-6sarge1 versatile, high-performance HTTP
s
ii mysql-server [virtual-mys 4.0.24-10 mysql database server binaries
ii php4 4:4.3.10-16 server-side, HTML-embedded
scripti
ii php4-mysql 4:4.3.10-16 MySQL module for php4
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#328909; Package wordpress.
(full text, mbox, link).
Message #8 received at 328909@bugs.debian.org (full text, mbox, reply):
Thanks for the bug report.
I've forwarded this issue upstream on their BTS:
http://trac.wordpress.org/ticket/1686
Best wishes,
Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#328909; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to noamr@beyondsecurity.com:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #13 received at 328909@bugs.debian.org (full text, mbox, reply):
Cool.
On 9/19/05, Kai Hendry <hendry@iki.fi> wrote:
> Thanks for the bug report.
>
> I've forwarded this issue upstream on their BTS:
> http://trac.wordpress.org/ticket/1686
>
> Best wishes,
>
--
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.
Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441
Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#328909; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to noamr@beyondsecurity.com:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#328909; Package wordpress.
(full text, mbox, link).
Message #21 received at 328909@bugs.debian.org (full text, mbox, reply):
Btw is there a CAN number for this?
Tags added: moreinfo
Request was from Kai Hendry <hendry@iki.fi>
to control@bugs.debian.org.
(full text, mbox, link).
Severity set to `minor'.
Request was from Kai Hendry <hendry@iki.fi>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#328909; Package wordpress.
(full text, mbox, link).
Message #28 received at 328909@bugs.debian.org (full text, mbox, reply):
----- Forwarded message from Ryan Boren <ryan@boren.nu> -----
From: Ryan Boren <ryan@boren.nu>
To: Kai Hendry <hendry@iki.fi>
Subject: Re: Ryan
Date: Mon, 16 Jan 2006 11:26:34 -0800
X-Original-To: hendry@dabase.com
Delivered-To: hendry@chopstick.dreamhost.com
X-Forwarded-To: hendry@dabase.com
X-Forwarded-For: kai.hendry@gmail.com hendry@dabase.com
X-Gmail-Received: 68cf22ddba033b8e9f1af53a7a43d0c6d6060d79
Delivered-To: kai.hendry@gmail.com
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
chopstick.dreamhost.com
On Mon, 2006-01-16 at 11:01 +1100, Kai Hendry wrote:
> On 2006-01-15T15:42-0800 Ryan Boren wrote:
> > On Mon, 2006-01-16 at 09:05 +1100, Kai Hendry wrote:
> > > Are you the Ryan on http://trac.wordpress.org/ticket/1686
> > > If so why not apply the patch?
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328909
> > Oops. I thought Dougal took care of that one way back when. I applied
> > the wp_specialchars() fix.
>
> Applied on 2.0? So I can close this bug?
It will be in 2.0.1. Yes, you can close.
Thanks,
Ryan
----- End forwarded message -----
Tags removed: moreinfo
Request was from Kai Hendry <hendry@iki.fi>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Kai Hendry <hendry@iki.fi>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Noam Rathaus <noamr@beyondsecurity.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #35 received at 328909-close@bugs.debian.org (full text, mbox, reply):
Source: wordpress
Source-Version: 2.0.1-1
We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:
wordpress_2.0.1-1.diff.gz
to pool/main/w/wordpress/wordpress_2.0.1-1.diff.gz
wordpress_2.0.1-1.dsc
to pool/main/w/wordpress/wordpress_2.0.1-1.dsc
wordpress_2.0.1-1_all.deb
to pool/main/w/wordpress/wordpress_2.0.1-1_all.deb
wordpress_2.0.1.orig.tar.gz
to pool/main/w/wordpress/wordpress_2.0.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 328909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kai Hendry <hendry@iki.fi> (supplier of updated wordpress package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 2 Feb 2006 11:22:31 +0900
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.0.1-1
Distribution: unstable
Urgency: low
Maintainer: Kai Hendry <hendry@iki.fi>
Changed-By: Kai Hendry <hendry@iki.fi>
Description:
wordpress - an award winning weblog manager
Closes: 328909 348458
Changes:
wordpress (2.0.1-1) unstable; urgency=low
.
* New upstream release
* CSS Security Vulnerability (Closes: #328909)
* Please announce that upgrade.php needs to be run after update
(Closes: #348458)
Files:
74d6a39f48b1c106efeda2b4523f12cf 564 web optional wordpress_2.0.1-1.dsc
5eb6685eba97c67ccaebc74de30cef4e 504946 web optional wordpress_2.0.1.orig.tar.gz
2829cca9acd7951df4b31d4d774e0eb8 6847 web optional wordpress_2.0.1-1.diff.gz
f2c38ee5f746a76f81930c6ac96030dc 501174 web optional wordpress_2.0.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD4cJAK/juK3+WFWQRAjKCAJ9b1usSRsfOV2DZ7UfgeZULIhcNtACfS7Og
Oc7zV4CURwNv62WxHELC9XY=
=B84s
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#328909; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #40 received at 328909@bugs.debian.org (full text, mbox, reply):
Package: wordpress
Followup-For: Bug #328909
Hi,
I'm doing tracking work for the testing-security team and am trying to
identify a CVE ID for this issue. I do not see one referenced in the bug
report, or changelog and there are a few CVE IDs that have been issued
for wordpress which might cover this problem.
I am not able to find where the wordpress upstream addressed this issue,
and do not see this patch in
http://trac.wordpress.org/file/trunk/wp-includes/template-functions-links.php
Do you have any insight into if the wordpress upstream fixed this, where
that fix was acknowledged, and if there is a CVE identifier for this
issue?
Thanks,
Micah
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15+vserver
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#328909; Package wordpress.
(full text, mbox, link).
Message #43 received at 328909@bugs.debian.org (full text, mbox, reply):
----- Forwarded message from Ryan Boren <ryan@boren.nu> -----
From: Ryan Boren <ryan@boren.nu>
To: Kai Hendry <hendry@iki.fi>
Cc: security@wordpress.org
Subject: Re: [micah@debian.org: Bug#328909: wordpress: Is this issue related
to a CVE ID?]
Date: Mon, 27 Mar 2006 18:05:59 -0800
X-Original-To: hendry@dabase.com
Delivered-To: hendry@chopstick.dreamhost.com
X-Forwarded-To: hendry@dabase.com
X-Forwarded-For: kai.hendry@gmail.com hendry@dabase.com
X-Gmail-Received: 371c1af775c6bb46b4a6825e96c01f7b5c296709
Delivered-To: kai.hendry@gmail.com
X-Accept-Language: en-us, en
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
chopstick.dreamhost.com
Kai Hendry wrote:
>Do you keep a list of what CVE ID issues have been closed?
>
>They're important for the Debian security team.
http://trac.wordpress.org/ticket/1686
I'm not aware of any CVE ID for this issue. The patch in #328909 was
not used. We fixed it a different way.
Ryan
----- End forwarded message -----
Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#328909; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #48 received at 328909@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Thanks for the information on this. I have requested a CVE ID from Mitre
for this issue, having unique identifiers for issues allow us to track
what has and hasn't been fixed much easier. I will send on the ID once
it has been allocated so you may update your notes as necessary.
Micah
Kai Hendry wrote:
> ----- Forwarded message from Ryan Boren <ryan@boren.nu> -----
>
> From: Ryan Boren <ryan@boren.nu>
> To: Kai Hendry <hendry@iki.fi>
> Cc: security@wordpress.org
> Subject: Re: [micah@debian.org: Bug#328909: wordpress: Is this issue related
> to a CVE ID?]
> Date: Mon, 27 Mar 2006 18:05:59 -0800
> X-Original-To: hendry@dabase.com
> Delivered-To: hendry@chopstick.dreamhost.com
> X-Forwarded-To: hendry@dabase.com
> X-Forwarded-For: kai.hendry@gmail.com hendry@dabase.com
> X-Gmail-Received: 371c1af775c6bb46b4a6825e96c01f7b5c296709
> Delivered-To: kai.hendry@gmail.com
> X-Accept-Language: en-us, en
> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
> chopstick.dreamhost.com
>
> Kai Hendry wrote:
>> Do you keep a list of what CVE ID issues have been closed?
>>
>> They're important for the Debian security team.
>
> http://trac.wordpress.org/ticket/1686
>
> I'm not aware of any CVE ID for this issue. The patch in #328909 was
> not used. We fixed it a different way.
>
> Ryan
>
>
> ----- End forwarded message -----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEKxWT9n4qXRzy1ioRAmsiAKCSfcQgFfIcHU5txicqwNLw9ZbWuwCeJy5A
k8baKvzlWlC8i4VfCDc8mwI=
=rIwg
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#328909; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #53 received at 328909@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
About this issue, was it addressed earlier than CVE-2006-1263 was?
Also, was this bug publicly available in 2005, or did not not get
disclosed until 2006? It's not clear from the bug reports, the bug
existed in 2005, but I cannot tell if it was public or not.
Thanks for the help,
Micah
Micah Anderson wrote:
>
> Hi,
>
> Thanks for the information on this. I have requested a CVE ID from Mitre
> for this issue, having unique identifiers for issues allow us to track
> what has and hasn't been fixed much easier. I will send on the ID once
> it has been allocated so you may update your notes as necessary.
>
> Micah
>
> Kai Hendry wrote:
>>> ----- Forwarded message from Ryan Boren <ryan@boren.nu> -----
>>>
>>> From: Ryan Boren <ryan@boren.nu>
>>> To: Kai Hendry <hendry@iki.fi>
>>> Cc: security@wordpress.org
>>> Subject: Re: [micah@debian.org: Bug#328909: wordpress: Is this issue related
>>> to a CVE ID?]
>>> Date: Mon, 27 Mar 2006 18:05:59 -0800
>>> X-Original-To: hendry@dabase.com
>>> Delivered-To: hendry@chopstick.dreamhost.com
>>> X-Forwarded-To: hendry@dabase.com
>>> X-Forwarded-For: kai.hendry@gmail.com hendry@dabase.com
>>> X-Gmail-Received: 371c1af775c6bb46b4a6825e96c01f7b5c296709
>>> Delivered-To: kai.hendry@gmail.com
>>> X-Accept-Language: en-us, en
>>> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
>>> chopstick.dreamhost.com
>>>
>>> Kai Hendry wrote:
>>>> Do you keep a list of what CVE ID issues have been closed?
>>>>
>>>> They're important for the Debian security team.
>>> http://trac.wordpress.org/ticket/1686
>>>
>>> I'm not aware of any CVE ID for this issue. The patch in #328909 was
>>> not used. We fixed it a different way.
>>>
>>> Ryan
>>>
>>>
>>> ----- End forwarded message -----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEKx519n4qXRzy1ioRAtf6AJ9ICE5bC7qnAZvZnizjBeinPlrU0gCdGtNb
oi9Zs5mOE3PhvYgx8P3Cm5Y=
=DA+i
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#328909; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #58 received at 328909@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I haven't heard back about these questions, I just wanted to check in to
see if they were received ok?
Thanks!
Micah
Micah Anderson wrote:
>
> Hi,
>
> About this issue, was it addressed earlier than CVE-2006-1263 was?
>
> Also, was this bug publicly available in 2005, or did not not get
> disclosed until 2006? It's not clear from the bug reports, the bug
> existed in 2005, but I cannot tell if it was public or not.
>
> Thanks for the help,
> Micah
>
> Micah Anderson wrote:
>>> Hi,
>>>
>>> Thanks for the information on this. I have requested a CVE ID from Mitre
>>> for this issue, having unique identifiers for issues allow us to track
>>> what has and hasn't been fixed much easier. I will send on the ID once
>>> it has been allocated so you may update your notes as necessary.
>>>
>>> Micah
>>>
>>> Kai Hendry wrote:
>>>>> ----- Forwarded message from Ryan Boren <ryan@boren.nu> -----
>>>>>
>>>>> From: Ryan Boren <ryan@boren.nu>
>>>>> To: Kai Hendry <hendry@iki.fi>
>>>>> Cc: security@wordpress.org
>>>>> Subject: Re: [micah@debian.org: Bug#328909: wordpress: Is this issue related
>>>>> to a CVE ID?]
>>>>> Date: Mon, 27 Mar 2006 18:05:59 -0800
>>>>> X-Original-To: hendry@dabase.com
>>>>> Delivered-To: hendry@chopstick.dreamhost.com
>>>>> X-Forwarded-To: hendry@dabase.com
>>>>> X-Forwarded-For: kai.hendry@gmail.com hendry@dabase.com
>>>>> X-Gmail-Received: 371c1af775c6bb46b4a6825e96c01f7b5c296709
>>>>> Delivered-To: kai.hendry@gmail.com
>>>>> X-Accept-Language: en-us, en
>>>>> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
>>>>> chopstick.dreamhost.com
>>>>>
>>>>> Kai Hendry wrote:
>>>>>> Do you keep a list of what CVE ID issues have been closed?
>>>>>>
>>>>>> They're important for the Debian security team.
>>>>> http://trac.wordpress.org/ticket/1686
>>>>>
>>>>> I'm not aware of any CVE ID for this issue. The patch in #328909 was
>>>>> not used. We fixed it a different way.
>>>>>
>>>>> Ryan
>>>>>
>>>>>
>>>>> ----- End forwarded message -----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEPV2I9n4qXRzy1ioRAqCkAKCkmA/2yg92ZAncxBw2ZfEHmP0LpgCgiCRw
rSCN4ds1uXMVSMTsSiO8F20=
=O5id
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#328909; Package wordpress.
(full text, mbox, link).
Message #61 received at 328909@bugs.debian.org (full text, mbox, reply):
I passed this message onto security@wordpress.org and they haven't got
back to us.
Information forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#328909; Package wordpress.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Kai Hendry <hendry@iki.fi>.
(full text, mbox, link).
Message #66 received at 328909@bugs.debian.org (full text, mbox, reply):
this issue is now CVE-2006-1796
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 13:17:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:59:45 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon