Ubuntu
wordpress package

[CVE-2008-3747] - wordpress before 2.6.1 ssl problem might allow remote attackers to gain administrative access by sniffing the network for a cookie

Bug #269301 reported by Stefan Lesicnik
256
Affects Status Importance Assigned to Milestone
wordpress (Ubuntu)
Fix Released
Undecided
Unassigned
Intrepid
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: wordpress

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3747

The (1) get_edit_post_link and (2) get_edit_comment_link functions in wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL communication in the intended situations, which might allow remote attackers to gain administrative access by sniffing the network for a cookie.

    * MLIST:[oss-security] 20080819 wordpress 2.6.1
    * URL:http://www.openwall.com/lists/oss-security/2008/08/19/1
    * MLIST:[oss-security] 20080820 Re: wordpress 2.6.1
    * URL:http://www.openwall.com/lists/oss-security/2008/08/20/3
    * CONFIRM:http://trac.wordpress.org/ticket/7359
    * BID:30750
    * URL:http://www.securityfocus.com/bid/30750

Related branches

lp:ubuntu/karmic/wordpress

CVE References

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

debdiff for Intrepid to include security patch from Debian.

Stefan Lesicnik (stefanlsd)
Changed in wordpress:
status: New → In Progress
Revision history for this message
William Grant (wgrant) wrote :

Maybe this will link it to CVE-2008-3747. Yes, you heard me Launchpad: CVE-2008-3747.

Revision history for this message
Stefan Lesicnik (stefanlsd) wrote :

I would like to propose that this bug receive the wont-fix status for the moment.

The CVE reports that SSL communication is not forced in the intended situations. After speaking to some wordpress developers on IRC, it was said that SSL was only introduced into wordpress 2.6+. Ubuntu currently contains 2.5 and below and the SSL functionality is not included in this version, therefore the CVE doesnt really apply.

Debian has created a patch (shown in the debdiff attached to this bug report) - that backports the SSL functionality and some functions into 2.5. I believe this is not a true security patch, but more of a SRU. There have also been numerous fixes to the SSL implementation in the wordpress 2.6 tree that are not backported in that patch.

The first upload into Debian actually broke wordpress functionality, and was fixed in a subsequent upload [1][2].

Wordpress 2.6 should make it into Jaunty - where SSL will be fixed as per upstream. There is also a Debian bug filed for the upgrade [3].

If anyone would like to comment or re-open this bug, please feel free to do so. I am leaving the debdiff for Intrepid (with the Debian patch) attached to this bug in case we would still like to make the debian change.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497216
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497524
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490977

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Per comments, marking as Won't Fix. When the Debian patch matures, perhaps it can be considered for an SRU.

Changed in wordpress:
status: In Progress → Won't Fix
status: In Progress → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wordpress - 2.5.1-8ubuntu1

---------------
wordpress (2.5.1-8ubuntu1) intrepid; urgency=low

  * Merge from debian unstable, remaining changes:
   + debian/apache.conf:
    - Changed to use /var/www instead of /srv/www for virtual webroot.
   + debian/setup-mysql:
    - Changed to use /var/www instead of /srv/www.
   + debian/patches/010_remove_update_notice.patch:
    - Removed Wordpress upgrade notify in admin dashboard.
  * Drop debian/patches/008CVE2008-3747.patch as we don't support SSL
    in our version we don't need it. (See LP: #269301)

wordpress (2.5.1-8) unstable; urgency=high

  * Added 009CVE2008-4106 patch. (Closes: #500115)
    Whitespaces in user name are now checked during login.
    It's not possible to register an "admin(n-whitespaces)" user anymore
    to gain unauthorized access to the admin panel.

wordpress (2.5.1-7) unstable; urgency=high

  * Modified CVE2008-3747 patch. (Closes: #497524)
    The old patch made the package completely unusable. The new
    one should solve the issue. (Thanks to Del Gurt)

wordpress (2.5.1-6) unstable; urgency=high

  * Added patch to fix remote attack vulnerability (Closes: #497216)
   Attackers could gain administrative powers by sniffing cookies.
   This patch force wordpress over a ssl connection to prevent
   this issue. (CVE-2008-3747)

 -- Stefan Ebner <email address hidden> Thu, 02 Oct 2008 22:24:20 +0200

Changed in wordpress:
status: Won't Fix → Fix Released
Revision history for this message
James Westby (james-w) wrote :

Sorry, I didn't mean to close this bug, I just uploaded the wrong
.changes.

Thanks,

James

Changed in wordpress:
status: Fix Released → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wordpress - 2.5.1-10ubuntu1

---------------
wordpress (2.5.1-10ubuntu1) jaunty; urgency=low

  * Merge from debian unstable, remaining changes: (LP: #301340)
   + debian/apache.conf:
    - Changed to use /var/www instead of /srv/www for virtual webroot.
   + debian/setup-mysql:
    - Changed to use /var/www instead of /srv/www.
  * debian/patches/010_remove_update_notice.patch:
    - Reworked original patch to remove Wordpress upgrade notify
      in admin dashboard (Rolf Leggewie) (LP: #227547)
  * Include patch for CVE2008-3747 (LP: #269301)

wordpress (2.5.1-10) unstable; urgency=high

  * 007CVE2008-2392.patch modified.
   Now users chan dinamically choose to enable unrestricted upload for admins.
  * 010_REQUEST.patch added.
   This patch is only a workaround for #504771. Now cookies are properly
   checked; if something malicious is found wordpress stops any other execution
   until cookies are not cleaned.

 -- Stefan Lesicnik <email address hidden> Sun, 23 Nov 2008 18:12:33 +0200

Changed in wordpress:
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.