(Gentoo Issues Fix) WordPress Input Validation Holes Permit Response Splitting Attacks
|
|
SecurityTracker Alert ID: 1011697 |
|
SecurityTracker URL: http://securitytracker.com/id/1011697
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 15 2004
|
Impact:
Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.2
|
Description:
An input validation vulnerability was reported in WordPress. A remote user can conduct response splitting attacks.
Chaotic Evil reported that the 'wp-login.php' script does not properly validate user-supplied input. A remote user can submit a specially crafted POST request to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.
A demonstration exploit HTTP POST request is provided:
POST /wp-login.php HTTP/1.0
Host: HOSTNAME
Content-Type: application/x-www-form-urlencoded
Content-length: 226
action=login&mode=profile&log=USER&pwd=PASS&text=
%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%20
0%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:
%2021%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<html>
*defaced*</html>
The vendor was notified on September 24, 2004.
|
Impact:
A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.
A remote user may be able to poison any intermediate web caches with arbitrary content.
|
Solution:
Gentoo has released a fix and indicates that all WordPress users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=www-apps/wordpress-1.2.1"
# emerge ">=www-apps/wordpress-1.2.1"
|
Vendor URL: www.wordpress.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Gentoo)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 14 Oct 2004 08:03:02 -0400
Subject: [gentoo-announce] [ GLSA 200410-12 ] WordPress: HTTP response splitting and XSS
|
--=-k0hwKbesKEvG15WMqlgE
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200410-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: WordPress: HTTP response splitting and XSS vulnerabilities
Date: October 14, 2004
Bugs: #65798
ID: 200410-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D
WordPress contains HTTP response splitting and cross-site scripting
vulnerabilities.
Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
WordPress is a PHP and MySQL based content management and publishing
system.
Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-apps/wordpress < 1.2.1 >=3D 1.2.1
Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Due to the lack of input validation in the administration panel
scripts, WordPress is vulnerable to HTTP response splitting and
cross-site scripting attacks.
Impact
=3D=3D=3D=3D=3D=3D
A malicious user could inject arbitrary response data, leading to
content spoofing, web cache poisoning and other cross-site scripting or
HTTP response splitting attacks. This could result in compromising the
victim's data or browser.
Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
There is no known workaround at this time.
Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
All WordPress users should upgrade to the latest version:
# emerge sync
# emerge -pv ">=3Dwww-apps/wordpress-1.2.1"
# emerge ">=3Dwww-apps/wordpress-1.2.1"
References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[ 1 ] WordPress 1.2.1 Release Notes
http://wordpress.org/development/2004/10/wp-121/
Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200410-12.xml
Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=3D=3D=3D=3D=3D=3D=3D
Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/1.0
--=-k0hwKbesKEvG15WMqlgE
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQBBbmr2Rsm3eDkOu7kRAlDOAJ9cM840cGmXsWdbzN2w/Xm8xe2BZQCdHYop
rJx71C14ZxyXZoYUnBvOuv8=
=7jwZ
-----END PGP SIGNATURE-----
--=-k0hwKbesKEvG15WMqlgE--
|
|
