Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 2 Dec 2010 15:44:30 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: Jon Ciesla <limb@...mserv.net>,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE Request -- Wordpress v3.0.2 SQL injection
 flaw + two minor XSS issues


----- "Jan Lieskovsky" <jlieskov@...hat.com> wrote:

> Hello Steve, vendors,
> 
>    Wordpress upstream has released latest v3.0.2 version, addressing
> one SQL injection
> flaw:
> 
>    1), SQL injection flaw by processing trackbacks
> 
>    An improper input sanitization flaw was found in the way Wordpress
> performed trackbacks (a way to notify a website when an entry that
> references it is published) maintainance. A remote attacker,
> with Author-level privilege could use this flaw to conduct
> SQL injection attacks (gain further access to the site, which
> should be otherwise prohibited).
> 
>    References:
>    [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605603
>    [2] http://codex.wordpress.org/Version_3.0.2
>    [3] http://core.trac.wordpress.org/changeset/16625
>    [4] https://bugzilla.redhat.com/show_bug.cgi?id=659265

Use CVE-2010-4257 for the SQL injection flaw.

I'm less sure about the other two.

> The two XSS issues below are minor, as they need Wordpress administrator
> to perform the attack, but according to CVE philosophy, the CVE ids
> should be assigned for them too. But these two opened / left for further
> discussion:
> 
>    2), XSS in requesting user credentials in order to connect to the
> filesystem
>    References:
>    [7] https://bugzilla.redhat.com/show_bug.cgi?id=659294
>    [8] http://codex.wordpress.org/Version_3.0.2
>    [9] http://core.trac.wordpress.org/changeset/16367
> 
>    3), XSS when deleting a plugin
>    References:
>    [10] https://bugzilla.redhat.com/show_bug.cgi?id=659299
>    [11] http://codex.wordpress.org/Version_3.0.2
>    [12] http://core.trac.wordpress.org/changeset/16373
> 
> Note: The other issues mentioned in:
>        http://codex.wordpress.org/Version_3.0.2
> 
>        should be only bugfixes.
> 

Do these two XSS flaws cross a trust boundary? I'm not familiar with
wordpress.

I looked back at previous wordpress admin related issues, there were none
like this. Most XSS things affecting the admin involved an xss that affects
the admin, not one triggered by an admin.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.