SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WordPress Vendors:   wordpress.org
(Gentoo Issues Fix) WordPress Input Validation Holes Permit Response Splitting Attacks
SecurityTracker Alert ID:  1011697
SecurityTracker URL:  http://securitytracker.com/id/1011697
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 15 2004
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.2
Description:   An input validation vulnerability was reported in WordPress. A remote user can conduct response splitting attacks.

Chaotic Evil reported that the 'wp-login.php' script does not properly validate user-supplied input. A remote user can submit a specially crafted POST request to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.

A demonstration exploit HTTP POST request is provided:

POST /wp-login.php HTTP/1.0
Host: HOSTNAME
Content-Type: application/x-www-form-urlencoded
Content-length: 226

action=login&mode=profile&log=USER&pwd=PASS&text=
%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:%20
0%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Length:
%2021%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<html>
*defaced*</html>

The vendor was notified on September 24, 2004.

Impact:   A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.

A remote user may be able to poison any intermediate web caches with arbitrary content.

Solution:   Gentoo has released a fix and indicates that all WordPress users should upgrade to the latest version:

# emerge sync

# emerge -pv ">=www-apps/wordpress-1.2.1"
# emerge ">=www-apps/wordpress-1.2.1"

Vendor URL:  www.wordpress.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Gentoo)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 11 2004 WordPress Input Validation Holes Permit Response Splitting Attacks



 Source Message Contents

Subject:  [gentoo-announce] [ GLSA 200410-12 ] WordPress: HTTP response splitting and XSS



--=-k0hwKbesKEvG15WMqlgE
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: WordPress: HTTP response splitting and XSS vulnerabilities
      Date: October 14, 2004
      Bugs: #65798
        ID: 200410-12

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

WordPress contains HTTP response splitting and cross-site scripting
vulnerabilities.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

WordPress is a PHP and MySQL based content management and publishing
system.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  www-apps/wordpress       < 1.2.1                         >=3D 1.2.1

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Due to the lack of input validation in the administration panel
scripts, WordPress is vulnerable to HTTP response splitting and
cross-site scripting attacks.

Impact
=3D=3D=3D=3D=3D=3D

A malicious user could inject arbitrary response data, leading to
content spoofing, web cache poisoning and other cross-site scripting or
HTTP response splitting attacks. This could result in compromising the
victim's data or browser.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All WordPress users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=3Dwww-apps/wordpress-1.2.1"
    # emerge ">=3Dwww-apps/wordpress-1.2.1"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

  [ 1 ] WordPress 1.2.1 Release Notes
        http://wordpress.org/development/2004/10/wp-121/

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-12.xml

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

--=-k0hwKbesKEvG15WMqlgE
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBbmr2Rsm3eDkOu7kRAlDOAJ9cM840cGmXsWdbzN2w/Xm8xe2BZQCdHYop
rJx71C14ZxyXZoYUnBvOuv8=
=7jwZ
-----END PGP SIGNATURE-----

--=-k0hwKbesKEvG15WMqlgE--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC