Search...

WordPress wp-admin/admin.php模块错误权限检查漏洞

2009-07-10T00:00:00

ID SSV:11788
Type seebug
Reporter Root
Modified 2009-07-10T00:00:00

Description

BUGTRAQ ID: 35584 CVE(CAN) ID: CVE-2009-2334

WordPress是一款免费的论坛Blog系统。

WordPress对使用page参数的插件配置PHP模块缺少权限检查，如果非特权用户在请求中用admin.php替换了options- general.php或plugins.php，就可以非授权查看插件配置页面的内容，或修改某些插件选项并注入JavaScript代码。

WordPress WordPress 2.8 WordPress WordPress MU 2.7.1 WordPress

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://wordpress.org/

                                        
                                            
                                                http://www.example.com/wp-admin/admin.php?page=/collapsing-archives/options.txt
http://www.example.com/wp-admin/admin.php?page=akismet/readme.txt
http://www.example.com/wp-admin/admin.php?page=related-ways-to-take-action/options.php
http://www.example.com/wp-admin/admin.php?page=wp-security-scan/securityscan.php

JSON Vulners Source

Initial Source

{"sourceData": "\n http://www.example.com/wp-admin/admin.php?page=/collapsing-archives/options.txt\r\nhttp://www.example.com/wp-admin/admin.php?page=akismet/readme.txt\r\nhttp://www.example.com/wp-admin/admin.php?page=related-ways-to-take-action/options.php\r\nhttp://www.example.com/wp-admin/admin.php?page=wp-security-scan/securityscan.php\n ", "status": "poc,details", "description": "BUGTRAQ ID: 35584\r\nCVE(CAN) ID: CVE-2009-2334\r\n\r\nWordPress\u662f\u4e00\u6b3e\u514d\u8d39\u7684\u8bba\u575bBlog\u7cfb\u7edf\u3002\r\n\r\nWordPress\u5bf9\u4f7f\u7528page\u53c2\u6570\u7684\u63d2\u4ef6\u914d\u7f6ePHP\u6a21\u5757\u7f3a\u5c11\u6743\u9650\u68c0\u67e5\uff0c\u5982\u679c\u975e\u7279\u6743\u7528\u6237\u5728\u8bf7\u6c42\u4e2d\u7528admin.php\u66ff\u6362\u4e86options- general.php\u6216plugins.php\uff0c\u5c31\u53ef\u4ee5\u975e\u6388\u6743\u67e5\u770b\u63d2\u4ef6\u914d\u7f6e\u9875\u9762\u7684\u5185\u5bb9\uff0c\u6216\u4fee\u6539\u67d0\u4e9b\u63d2\u4ef6\u9009\u9879\u5e76\u6ce8\u5165JavaScript\u4ee3\u7801\u3002\n\nWordPress WordPress 2.8\r\nWordPress WordPress MU 2.7.1\nWordPress\r\n---------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://wordpress.org/", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11788", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-11788", "type": "seebug", "viewCount": 12, "references": [], "lastseen": "2017-11-19T18:49:00", "published": "2009-07-10T00:00:00", "cvelist": ["CVE-2009-2334"], "id": "SSV:11788", "enchantments_done": [], "modified": "2009-07-10T00:00:00", "title": "WordPress wp-admin/admin.php\u6a21\u5757\u9519\u8bef\u6743\u9650\u68c0\u67e5\u6f0f\u6d1e", "cvss": {"score": 4.9, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2017-11-19T18:49:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2334"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310861681", "OPENVAS:66255", "OPENVAS:136141256231066258", "OPENVAS:64407", "OPENVAS:64697", "OPENVAS:136141256231066255", "OPENVAS:64404", "OPENVAS:136141256231064697", "OPENVAS:861681", "OPENVAS:66258"]}, {"type": "exploitdb", "idList": ["EDB-ID:9110"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22142", "SECURITYVULNS:VULN:10056"]}, {"type": "nessus", "idList": ["FEDORA_2009-7701.NASL", "FEDORA_2009-7729.NASL", "FEDORA_2009-8529.NASL", "FEDORA_2009-8538.NASL", "DEBIAN_DSA-1871.NASL"]}, {"type": "seebug", "idList": ["SSV:14855", "SSV:11777"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:79033"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EA9973B6F5F19BFE8F3E86AA281A9086"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1871-1:82465", "DEBIAN:DSA-1871-2:31819"]}], "modified": "2017-11-19T18:49:00", "rev": 2}, "vulnersScore": 6.3}}

{"cve": [{"lastseen": "2020-12-09T19:31:20", "description": "wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be leveraged for cross-site scripting (XSS) and denial of service.", "edition": 5, "cvss3": {}, "published": "2009-07-10T21:00:00", "title": "CVE-2009-2334", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-2334"], "modified": "2018-10-10T19:39:00", "cpe": ["cpe:/a:wordpress:wordpress:1.2", "cpe:/a:wordpress:wordpress:2.2.2", "cpe:/a:wordpress:wordpress_mu:1.3", "cpe:/a:wordpress:wordpress:2.2", "cpe:/a:wordpress:wordpress_mu:2.6.3", "cpe:/a:wordpress:wordpress_mu:1.5", "cpe:/a:wordpress:wordpress:2.0.10_rc1", "cpe:/a:wordpress:wordpress:2.0", "cpe:/a:wordpress:wordpress_mu:1.2.5a", "cpe:/a:wordpress:wordpress:2.1.3", "cpe:/a:wordpress:wordpress:2.0.11", "cpe:/a:wordpress:wordpress:2.6.1", "cpe:/a:wordpress:wordpress:0.72", "cpe:/a:wordpress:wordpress:2.1.3_rc1", "cpe:/a:wordpress:wordpress:1.0.1-miles", "cpe:/a:wordpress:wordpress:2.0.6", "cpe:/a:wordpress:wordpress_mu:2.7", "cpe:/a:wordpress:wordpress:2.6.5", "cpe:/a:wordpress:wordpress_mu:1.2.1", "cpe:/a:wordpress:wordpress:2.3", "cpe:/a:wordpress:wordpress_mu:1.1.1", "cpe:/a:wordpress:wordpress:1.6", "cpe:/a:wordpress:wordpress:2.0.9", "cpe:/a:wordpress:wordpress:2.0.7", "cpe:/a:wordpress:wordpress:2.2_revision5003", "cpe:/a:wordpress:wordpress:1.0.2", "cpe:/a:wordpress:wordpress_mu:2.6.5", "cpe:/a:wordpress:wordpress:2.0.10", "cpe:/a:wordpress:wordpress:1.5.1.1", "cpe:/a:wordpress:wordpress:2.2_revision5002", "cpe:/a:wordpress:wordpress_mu:1.3.2", "cpe:/a:wordpress:wordpress:2.0.4", "cpe:/a:wordpress:wordpress:1.5", "cpe:/a:wordpress:wordpress:2.1.1", "cpe:/a:wordpress:wordpress:2.0.10_rc2", "cpe:/a:wordpress:wordpress_mu:1.1", "cpe:/a:wordpress:wordpress:0.711", "cpe:/a:wordpress:wordpress:2.0.5", "cpe:/a:wordpress:wordpress:0.71", "cpe:/a:wordpress:wordpress:1.0", "cpe:/a:wordpress:wordpress:2.1.3_rc2", "cpe:/a:wordpress:wordpress:2.1", "cpe:/a:wordpress:wordpress:2.2.3", "cpe:/a:wordpress:wordpress_mu:1.5.1", "cpe:/a:wordpress:wordpress:0.6.2.1", "cpe:/a:wordpress:wordpress:2.5", "cpe:/a:wordpress:wordpress_mu:1.2.3", "cpe:/a:wordpress:wordpress:2.1.2", "cpe:/a:wordpress:wordpress:1.3.1", "cpe:/a:wordpress:wordpress_mu:1.3.3", "cpe:/a:wordpress:wordpress:1.5.2", "cpe:/a:wordpress:wordpress:0.7", "cpe:/a:wordpress:wordpress_mu:2.6.1", "cpe:/a:wordpress:wordpress:0.6.2", "cpe:/a:wordpress:wordpress_mu:2.6", "cpe:/a:wordpress:wordpress:2.3.2", "cpe:/a:wordpress:wordpress:2.0.2", "cpe:/a:wordpress:wordpress:1.5.1.3", "cpe:/a:wordpress:wordpress:0.71-gold", "cpe:/a:wordpress:wordpress_mu:1.2.4", "cpe:/a:wordpress:wordpress_mu:1.2", "cpe:/a:wordpress:wordpress:2.2.1", "cpe:/a:wordpress:wordpress:2.0.3", "cpe:/a:wordpress:wordpress:2.2.0", "cpe:/a:wordpress:wordpress:2.6", "cpe:/a:wordpress:wordpress:2.6.3", "cpe:/a:wordpress:wordpress:1.0-platinum", "cpe:/a:wordpress:wordpress:1.5.1.2", "cpe:/a:wordpress:wordpress:1.5.1", "cpe:/a:wordpress:wordpress:1.0.1", "cpe:/a:wordpress:wordpress:2.0.1", "cpe:/a:wordpress:wordpress_mu:1.2.2", "cpe:/a:wordpress:wordpress_mu:2.6.2", "cpe:/a:wordpress:wordpress:1.5-strayhorn", "cpe:/a:wordpress:wordpress:1.2.1", "cpe:/a:wordpress:wordpress:2.7.1", "cpe:/a:wordpress:wordpress:2.0.8", "cpe:/a:wordpress:wordpress:1.2.2", "cpe:/a:wordpress:wordpress:1.2-delta", "cpe:/a:wordpress:wordpress:2.3.1", "cpe:/a:wordpress:wordpress:1.2-mingus", "cpe:/a:wordpress:wordpress_mu:1.3.1", "cpe:/a:wordpress:wordpress:1.0.2-blakey", "cpe:/a:wordpress:wordpress:2.3.3", "cpe:/a:wordpress:wordpress:2.5.1", "cpe:/a:wordpress:wordpress:1.4"], "id": "CVE-2009-2334", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2334", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:wordpress:wordpress_mu:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0-platinum:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.2.5a:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.5:rc1:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.2_revision5002:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.72:beta1:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.1.3_rc2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.2-delta:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.711:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.3:beta3:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.2-mingus:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.1.3_rc1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.72:rc1:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.10_rc1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.10_rc2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.7:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:2.7:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.2_revision5003:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.72:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0.2-blakey:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.3.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.6.2:beta_2:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.2:beta:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.6.2.1:beta_2:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.72:beta2:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.71-gold:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.71:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.2.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:0.6.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0.1-miles:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.5-strayhorn:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress_mu:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.3:rc1:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.1:alpha_3:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:2.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:wordpress:wordpress:1.0:rc3:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-01T09:53:42", "description": "WordPress Privileges Unchecked in admin.php and Multiple Information. CVE-2009-2334. Webapps exploit for php platform", "published": "2009-07-10T00:00:00", "type": "exploitdb", "title": "WordPress - Privileges Unchecked in admin.php and Multiple Information", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2334"], "modified": "2009-07-10T00:00:00", "id": "EDB-ID:9110", "href": "https://www.exploit-db.com/exploits/9110/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nWordPress Privileges Unchecked in admin.php and Multiple Information\nDisclosures\n\n\n\n1. *Advisory Information*\n\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\nInformation Disclosures\nAdvisory ID: CORE-2009-0515\nAdvisory URL:\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked\nDate published: 2009-07-08\nDate of last update: 2009-07-08\nVendors contacted: WordPress\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Local file include, Privileges unchecked, Cross site scripting\n(XSS), Information disclosure\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 35581, 35584\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\n\n\n3. *Vulnerability Description*\n\nWordPress is a web application written in PHP that allows the easy\ninstallation of a flexible weblog on any computer connected to the\nInternet. WordPress 2.7 reached more than 6 million downloads during\nJune 2009 [9].\n\nA vulnerability was found in the way that WordPress handles some URL\nrequests. This results in unprivileged users viewing the content of\nplugins configuration pages, and also in some plugins modifying plugin\noptions and injecting JavaScript code. Arbitrary native code may be run\nby a malicious attacker if the blog administrator runs injected\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\nhosted outside 'wordpress.com', allow any person to create unprivileged\nusers called subscribers. Other sensitive username information\ndisclosures were found in WordPress.\n\n\n4. *Vulnerable packages*\n\n . WordPress 2.8 and previous\n . WordPress MU 2.7.1 and previous, used in WordPress.com\n\n\n5. *Non-vulnerable packages*\n\n . WordPress 2.8.1\n . WordPress MU 2.8.1, used in WordPress.com\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\nSecurity): this vulnerability may be mitigated by controlling access to\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\nApache access control mechanism ('.htaccess' file), see guideline for\nmore information [11].\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered and researched by Fernando\nArnaboldi and Jos\u0102\u0083\u00c2\u0160 Orlicki from Core Security Technologies. Further\nresearch was made by Jose Orlicki from Core Security Technologies.\n\n\n8. *Technical Description / Proof of Concept Code*\n\n\n8.1. *Introduction*\n\nIn the last few years several security bugs were found in WordPress\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\nto exploitation by blog spammers [3]. During 2009, a new round of\nattacks has appeared and security researchers are reporting new bugs or\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\nreport that administrative privileges are still unchecked when accessing\nany PHP file inside a plugin folder.\n\n\n8.2. *Access Control Roles*\n\nWordPress has a privilege model where any user has an assigned role [8].\nRegarding plugins only users characterized by the role Administrator can\nactivate plugins. Notice that only the blog hosting owner can add new\nplugins because these must by copied inside the host filesystem. The\nroles Editor, Author or Subscriber (the latter has the least privileges)\ncannot activate plugins, edit plugins, update plugins nor delete plugins\ninstalled by an Administrator. Besides that, the configuration of\nspecific plugins is a grey area because there is no distinguished\ncapability assigned [8].\n\nAlso due to cross-site scripting vulnerabilities inside plugins options\n(something very common), non-administrative users reconfiguring plugins\nmay inject persistent JavaScript code. Possibly arbitrary native code\ncan be executed by the attacker if the blog administrator runs injected\nJavasScript code that injects PHP code. It is important to observe that\nmany WordPress-powered blogs are configured to allow any blog visitor to\ncreate a Subscriber user without confirmation from the Administrator\nrole inside the following URL, although by default the Administrator\nrole must create these new users.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-login.php?action=register\n- -----------/\n\n This can be modified by the administrator in 'Membership/Anyone can\nregister'.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\n- -----------/\n\n\n\n\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\n(CVE-2009-2334, BID 35581)*\n\nNo privileges are checked on WordPress plugins configuration PHP modules\nusing parameter 'page' when we replace 'options-general.php' with\n'admin.php'. The same thing happens when replacing other modules such as\n'plugins.php' with 'admin.php'. Basic information disclosure is done\nthis way. For example, with the following URL a user with no privileges\ncan see the configuration of plugin Collapsing Archives, if installed.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\n- -----------/\n\n Instead of the following allowed URL.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt\n- -----------/\n\n Another example of this information disclosure is shown on Akismet, a\nplugin shipped by default with WordPress.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\n- -----------/\n\n All plugins we have tested are vulnerable to this kind of information\ndisclosure, but in many of them the PHP files accessed just crashed. On\nthe other hand, for example, with capability 'import', privileges are\nchecked inside 'admin.php':\n\n/-----------\n\nif ( ! current_user_can('import') )\n wp_die(__('You are not allowed to import.'));\n- -----------/\n\n More dangerous scenarios exist, all of them can be exploited by users\nwith the Subscriber role, the least privileged.\n\n\n8.4. *Abuse example: XSS in plugin configuration module*\n\nIf installed, *Related Ways To Take Action* is an example of a WordPress\nplugin that is affected by many cross-site scripting vulnerabilities\n(XSS) that can be leveraged by an attacker using the unchecked\nprivileges described in this advisory to inject persistent JavaScript\ncode. Possibly, arbitrary native code can be executed by the attacker if\nthe blog administrator, when he/she logs in, runs injected JavasScript\ncode that edits blog PHP code. The original URL for reconfiguring the\nplugin can be accessed only by the Administrator role.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php\n- -----------/\n\n But replacing the PHP file with the generic 'admin.php' any blog user\ncan modify this configuration.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php\n- -----------/\n\n The following JavaScript injection can be entered within field *Exclude\nactions by term* to exemplify this kind of abuse. When the administrator\nenters the same page the injected browser code will be executed and\npossibly blog PHP can be modified to run arbitrary native code.\n\n/-----------\n\n\\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref=\"\n\n- -----------/\n\n This is the worst scenario that we found for the vulnerability.\n\n\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\n\nIf installed, the WordPress Security Scanner Plugin dashboard can be\nviewed similarly by any user besides the administrator using the plugin\nconfiguration page URL without modification. This dashboard includes\ncommon default blog configuration settings that are insecure and should\nbe modified by the blog administrator or hosting.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php\n- -----------/\n\n\n\n\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\n\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\nreconfigured accessed with the same vulnerability.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\n- -----------/\n\n This gives an attacker the possibility to disable many features of the\nplugin, for example reactivate the forgotten password feature and\nreactivate the XML-RPC blog interface. Also you can deny the weblog\nservice by configuring this plugin to be overly sensitive, blocking any\nrequest. However the plugin cannot be totally disabled because the\nessential IDS parameters 'Maximum impact to ignore bad requests' and\n'Minimum impact to sanitize bad requests' are verified on the server\nside of the blog and cannot be distorted to deactivate the sanitizing or\nblocking features of the web IDS plugin.\n\n\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\n35584)*\n\nWordPress discriminates bad password from bad user logins, this reduces\nthe complexity of a brute force attack on WordPress blogs login\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\nwhen users use the forgotten mail interface to request a new password\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\nbe previously reported [6] but the WordPress team is refusing to modify\nthem alleging *user convenience*.\n\nDefault installation of WordPress 2.7.1 leaks the name of the user\nposting entries inside the HTML of the blog.\n\n/-----------\n\n <small>June 3rd, 2009 </small>\n- -----------/\n\n\n\nAlso several administrative modules give to anyone the complete path\nwhere the web application is hosted inside the server. This may simplify\nor enable other malicious attacks. An example follows.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-settings.php\n- -----------/\n\n\n\n/-----------\n\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\n[WP_LEAKED_PATH]\\wp-settings.php on line 110\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\n[WP_LEAKED_PATH]\\wp-settings.php on line 112\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\nfailed to open stream:\nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246\nFatal error: require() [function.require]: Failed opening required\n'ABSPATHwp-includes/compat.php'\n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in\n[WP_LEAKED_PATH]\\wp-settings.php on line 246\n\n- -----------/\n\n\n\n\n9. *Report Timeline*\n\n. 2009-06-04:\nCore Security Technologies notifies the WordPress team of the\nvulnerabilities (security@wordpress.org) and offers a technical\ndescription encrypted or in plain-text. Advisory is planned for\npublication on June 22th.\n\n. 2009-06-08:\nCore notifies again the WordPress team of the vulnerability.\n\n. 2009-06-10:\nThe WordPress team asks Core for a technical description of the\nvulnerability in plain-text.\n\n. 2009-06-11:\nTechnical details sent to WordPress team by Core.\n\n. 2009-06-11:\nWordPress team notifies Core that a fix was produced and is available to\nCore for testing. WordPress team asserts that password and username\ndiscrimination as well as username leakage are known and will not be\nfixed because they are convenient for the users.\n\n. 2009-06-12:\nCore tells the WordPress team that the patch will be tested by Core as a\ncourtesy as soon as possible. It also requests confirmation that\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\nthe flaws included in the advisory draft CORE-2009-0515.\n\n. 2009-06-12:\nWordPress team confirms that WordPress 2.8 and earlier plus\nWordPress.com are vulnerable to the flaws included in the advisory draft.\n\n. 2009-06-17:\nCore informs the WordPress team that the patch is only fixing one of the\nfour proof of concept abuses included in the advisory draft. Core\nreminds the WordPress team that the advisory is scheduled to be\npublished on June 22th but a new schedule can be discussed.\n\n. 2009-06-19:\nCore asks for a new patched version of WordPress, if available, and\nnotifies the WordPress team that the publication of the advisory was\nre-scheduled to June 30th.\n\n. 2009-06-19:\nWordPress team confirms they have a new patch that has the potential to\nbreak a lot of plugins.\n\n. 2009-06-29:\nWordPress team asks for a delayance on advisory CORE-2009-0515\npublication until July 6th, when WordPress MU version will be patched.\n\n. 2009-06-29:\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\n\n. 2009-06-29:\nCore tells the WordPress team that other administrative PHP modules can\nalso be rendered by non-administrative users, such as module\n'admin-post.php' and 'link-parse-opml.php'.\n\n. 2009-07-02:\nWordPress team comments that 'admin.php' and 'admin-post.php' are\nintentionally open and plugins can choose to hook either privileged or\nunprivileged actions. They also comment that unprivileged access to\n'link-parse-opml.php' is benign but having this file open is bad form.\n\n. 2009-07-02:\nCore sends the WordPress team a new draft of the advisory and comments\nthat there is no capability specified in Worpress documentation for\nconfiguring plugins. Also control of actions registered by plugins is\nnot enforced. Core also notices that the privileges unchecked bug in\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\nrelease.\n\n. 2009-07-06:\nCore requests WordPress confirmation of the release date of WordPress\n2.8.1 and WordPress MU 2.8.\n\n. 2009-07-07:\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\nmade available to users and that the advisory may be published.\n\n. 2009-07-06:\nCore requests WordPress confirmation of the release date of WordPress MU\nand WordPress MU new version numbers.\n\n. 2009-07-07:\nWordPress team release WordPress 2.8.1 RC1 to its users.\n\n. 2009-07-08:\nWordPress team confirms that WordPress MU 2.8.1 will be made available\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\n\n. 2009-07-08:\nThe advisory CORE-2009-0515 is published.\n\n\n\n10. *References*\n\n[1] WordPress vulnerabilities in CVE database\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\n[2] SecuriTeam List of WordPress Vulnerabilities\nhttp://www.securiteam.com/products/W/Wordpress.html\n[3] WordPress Vulnerability - YBO Interactive Blog\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\nhttp://wordpress.org/support/topic/280748\n[5] Security breach - xkcd blog\nhttp://blag.xkcd.com/2009/06/18/security-breach/\n[6] securityvulns.com WordPress vulnerabilities digest in English\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\n[7] CVE-2008-0196\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\n[8] WordPress Roles and Capabilities\nhttp://codex.wordpress.org/Roles_and_Capabilities\n[9] WordPress Download Counter\nhttp://wordpress.org/download/counter/\n[10] WordPress Intrusion Detection System Plugin\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\n[11] Hardening WordPress with htaccess\nhttp://blogsecurity.net/wordpress/article-210607\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.6 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N\nTPRpR0Gn0WqmF8HOeDslbA8=\n=zEDK\n-----END PGP SIGNATURE-----\n\n# milw0rm.com [2009-07-10]\n", "cvss": {"score": 4.9, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/9110/"}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2334"], "description": "WordPress-MU is a derivative of the WordPress blogging codebase, to allow one instance to serve multiple users. ", "modified": "2010-01-28T00:58:59", "published": "2010-01-28T00:58:59", "id": "FEDORA:7C26510FA57", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 11 Update: wordpress-mu-2.8.6-1.fc11", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2334"], "description": "WordPress-MU is a derivative of the WordPress blogging codebase, to allow one instance to serve multiple users. ", "modified": "2009-11-10T17:54:09", "published": "2009-11-10T17:54:09", "id": "FEDORA:B465110F8C6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 11 Update: wordpress-mu-2.8.5.2-1.fc11", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-1030", "CVE-2009-2334"], "description": "WordPress-MU is a derivative of the WordPress blogging codebase, to allow one instance to serve multiple users. ", "modified": "2009-11-10T17:57:05", "published": "2009-11-10T17:57:05", "id": "FEDORA:F417810F872", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: wordpress-mu-2.8.5.2-1.fc10", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "WordPress-MU is a derivative of the WordPress blogging codebase, to allow one instance to serve multiple users. ", "modified": "2009-08-15T08:09:49", "published": "2009-08-15T08:09:49", "id": "FEDORA:2260910F855", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 11 Update: wordpress-mu-2.8.4a-1.fc11", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. ", "modified": "2009-07-19T10:07:19", "published": "2009-07-19T10:07:19", "id": "FEDORA:6DE2A10F891", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 11 Update: wordpress-2.8.1-1.fc11", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. ", "modified": "2009-07-19T10:17:03", "published": "2009-07-19T10:17:03", "id": "FEDORA:409AD10F89B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: wordpress-2.8.1-1.fc10", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-1030", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "WordPress-MU is a derivative of the WordPress blogging codebase, to allow one instance to serve multiple users. ", "modified": "2009-08-15T08:11:21", "published": "2009-08-15T08:11:21", "id": "FEDORA:9869510F855", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: wordpress-mu-2.8.4a-1.fc10", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2018-04-06T11:38:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-11260.", "modified": "2018-04-06T00:00:00", "published": "2009-11-17T00:00:00", "id": "OPENVAS:136141256231066255", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066255", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-11260 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_11260.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-11260 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nSecurity and bugfix updates based upon the WordPress 2.8.5 release\n\nChangeLog:\n\n* Fri Nov 6 2009 Bret McMillan - 2.8.5.2-1\n- Update to version 2.8.5.2 for security fixes\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-11260\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-11260.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66255\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-17 21:42:12 +0100 (Tue, 17 Nov 2009)\");\n script_cve_id(\"CVE-2009-2334\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:N\");\n script_name(\"Fedora Core 11 FEDORA-2009-11260 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=530056\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.5.2~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.9, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-11260.", "modified": "2017-07-10T00:00:00", "published": "2009-11-17T00:00:00", "id": "OPENVAS:66255", "href": "http://plugins.openvas.org/nasl.php?oid=66255", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-11260 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_11260.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-11260 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nSecurity and bugfix updates based upon the WordPress 2.8.5 release\n\nChangeLog:\n\n* Fri Nov 6 2009 Bret McMillan - 2.8.5.2-1\n- Update to version 2.8.5.2 for security fixes\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-11260\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-11260.\";\n\n\n\nif(description)\n{\n script_id(66255);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-17 21:42:12 +0100 (Tue, 17 Nov 2009)\");\n script_cve_id(\"CVE-2009-2334\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:N\");\n script_name(\"Fedora Core 11 FEDORA-2009-11260 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=530056\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.5.2~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.9, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-11T11:04:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334"], "description": "Check for the Version of wordpress-mu", "modified": "2018-01-09T00:00:00", "published": "2010-03-02T00:00:00", "id": "OPENVAS:1361412562310861681", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310861681", "type": "openvas", "title": "Fedora Update for wordpress-mu FEDORA-2009-12547", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wordpress-mu FEDORA-2009-12547\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"wordpress-mu on Fedora 11\";\ntag_insight = \"WordPress-MU is a derivative of the WordPress blogging codebase, to allow\n one instance to serve multiple users.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034411.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.861681\");\n script_version(\"$Revision: 8338 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-09 09:00:38 +0100 (Tue, 09 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-02 08:38:02 +0100 (Tue, 02 Mar 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2009-12547\");\n script_cve_id(\"CVE-2009-2334\");\n script_name(\"Fedora Update for wordpress-mu FEDORA-2009-12547\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of wordpress-mu\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC11\")\n{\n\n if ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.6~1.fc11\", rls:\"FC11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.9, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-12-18T10:58:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334"], "description": "Check for the Version of wordpress-mu", "modified": "2017-12-18T00:00:00", "published": "2010-03-02T00:00:00", "id": "OPENVAS:861681", "href": "http://plugins.openvas.org/nasl.php?oid=861681", "type": "openvas", "title": "Fedora Update for wordpress-mu FEDORA-2009-12547", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wordpress-mu FEDORA-2009-12547\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"wordpress-mu on Fedora 11\";\ntag_insight = \"WordPress-MU is a derivative of the WordPress blogging codebase, to allow\n one instance to serve multiple users.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034411.html\");\n script_id(861681);\n script_version(\"$Revision: 8153 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-18 07:30:39 +0100 (Mon, 18 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-02 08:38:02 +0100 (Tue, 02 Mar 2010)\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2009-12547\");\n script_cve_id(\"CVE-2009-2334\");\n script_name(\"Fedora Update for wordpress-mu FEDORA-2009-12547\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of wordpress-mu\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC11\")\n{\n\n if ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.6~1.fc11\", rls:\"FC11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.9, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:57:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-1030"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-11292.", "modified": "2017-07-10T00:00:00", "published": "2009-11-17T00:00:00", "id": "OPENVAS:66258", "href": "http://plugins.openvas.org/nasl.php?oid=66258", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-11292 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_11292.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-11292 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nSecurity and bugfix updates based upon the WordPress 2.8.5 release\n\nChangeLog:\n\n* Fri Nov 6 2009 Bret McMillan - 2.8.5.2-1\n- Update to version 2.8.5.2 for security fixes\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-11292\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-11292.\";\n\n\n\nif(description)\n{\n script_id(66258);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-17 21:42:12 +0100 (Tue, 17 Nov 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-1030\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-11292 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=530056\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.5.2~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.9, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-04-06T11:40:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-1030"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-11292.", "modified": "2018-04-06T00:00:00", "published": "2009-11-17T00:00:00", "id": "OPENVAS:136141256231066258", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066258", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-11292 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_11292.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-11292 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nSecurity and bugfix updates based upon the WordPress 2.8.5 release\n\nChangeLog:\n\n* Fri Nov 6 2009 Bret McMillan - 2.8.5.2-1\n- Update to version 2.8.5.2 for security fixes\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-11292\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-11292.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66258\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-17 21:42:12 +0100 (Tue, 17 Nov 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-1030\");\n script_tag(name:\"cvss_base\", value:\"4.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:P/I:P/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-11292 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=530056\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.5.2~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.9, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-04-06T11:39:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7729.", "modified": "2018-04-06T00:00:00", "published": "2009-07-29T00:00:00", "id": "OPENVAS:136141256231064407", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064407", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-7729 (wordpress)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7729.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7729 (wordpress)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"ChangeLog:\n\n* Fri Jul 10 2009 Adrian Reber - 2.8.1-1\n- updated to 2.8.1 for security fixes - BZ 510745\n* Mon Jun 22 2009 Adrian Reber - 2.8-1\n- updated to 2.8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7729\";\ntag_summary = \"The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7729.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64407\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-7729 (wordpress)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.8.1~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7729.", "modified": "2017-07-10T00:00:00", "published": "2009-07-29T00:00:00", "id": "OPENVAS:64407", "href": "http://plugins.openvas.org/nasl.php?oid=64407", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-7729 (wordpress)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7729.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7729 (wordpress)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"ChangeLog:\n\n* Fri Jul 10 2009 Adrian Reber - 2.8.1-1\n- updated to 2.8.1 for security fixes - BZ 510745\n* Mon Jun 22 2009 Adrian Reber - 2.8-1\n- updated to 2.8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7729\";\ntag_summary = \"The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7729.\";\n\n\n\nif(description)\n{\n script_id(64407);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 10 FEDORA-2009-7729 (wordpress)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.8.1~1.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:37:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7701.", "modified": "2018-04-06T00:00:00", "published": "2009-07-29T00:00:00", "id": "OPENVAS:136141256231064404", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064404", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-7701 (wordpress)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_7701.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-7701 (wordpress)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Wordpress is an online publishing / weblog package that makes it very easy,\nalmost trivial, to get information out to people on the web.\n\nChangeLog:\n\n* Fri Jul 10 2009 Adrian Reber - 2.8.1-1\n- updated to 2.8.1 for security fixes - BZ 510745\n* Mon Jun 22 2009 Adrian Reber - 2.8-1\n- updated to 2.8\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-7701\";\ntag_summary = \"The remote host is missing an update to wordpress\nannounced via advisory FEDORA-2009-7701.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64404\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-07-29 19:28:37 +0200 (Wed, 29 Jul 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 11 FEDORA-2009-7701 (wordpress)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.8.1~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-06T11:38:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8529.", "modified": "2018-04-06T00:00:00", "published": "2009-09-02T00:00:00", "id": "OPENVAS:136141256231064697", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064697", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-8529 (wordpress-mu)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_8529.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-8529 (wordpress-mu)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update spans MU-versions for the following security releases from upstream:\n\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n\n* Backport of XSS fixes from WordPress 2.8.2\n* Backport of security fixes for admin.php?page= bugs (CVE-2009-2334)\n\nChangeLog:\n\n* Wed Aug 12 2009 Bret McMillan - 2.8.4a-1\n- Update to version 2.8.4a for security fixes\n* Fri Jul 10 2009 Bret McMillan - 2.7-6\n- Patch for CVE-2009-2334\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update wordpress-mu' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-8529\";\ntag_summary = \"The remote host is missing an update to wordpress-mu\nannounced via advisory FEDORA-2009-8529.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.64697\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Fedora Core 11 FEDORA-2009-8529 (wordpress-mu)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=510745\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"wordpress-mu\", rpm:\"wordpress-mu~2.8.4a~1.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2009-07-09T00:00:00", "published": "2009-07-09T00:00:00", "id": "SECURITYVULNS:VULN:10056", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10056", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nWordPress Privileges Unchecked in admin.php and Multiple Information\r\nDisclosures\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\r\nInformation Disclosures\r\nAdvisory ID: CORE-2009-0515\r\nAdvisory URL:\r\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked\r\nDate published: 2009-07-08\r\nDate of last update: 2009-07-08\r\nVendors contacted: WordPress\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Local file include, Privileges unchecked, Cross site scripting\r\n(XSS), Information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35581, 35584\r\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWordPress is a web application written in PHP that allows the easy\r\ninstallation of a flexible weblog on any computer connected to the\r\nInternet. WordPress 2.7 reached more than 6 million downloads during\r\nJune 2009 [9].\r\n\r\nA vulnerability was found in the way that WordPress handles some URL\r\nrequests. This results in unprivileged users viewing the content of\r\nplugins configuration pages, and also in some plugins modifying plugin\r\noptions and injecting JavaScript code. Arbitrary native code may be run\r\nby a malicious attacker if the blog administrator runs injected\r\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\r\nhosted outside 'wordpress.com', allow any person to create unprivileged\r\nusers called subscribers. Other sensitive username information\r\ndisclosures were found in WordPress.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . WordPress 2.8 and previous\r\n . WordPress MU 2.7.1 and previous, used in WordPress.com\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . WordPress 2.8.1\r\n . WordPress MU 2.8.1, used in WordPress.com\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\r\nSecurity): this vulnerability may be mitigated by controlling access to\r\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\r\nApache access control mechanism ('.htaccess' file), see guideline for\r\nmore information [11].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Fernando\r\nArnaboldi and José Orlicki from Core Security Technologies. Further\r\nresearch was made by Jose Orlicki from Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nIn the last few years several security bugs were found in WordPress\r\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\r\nto exploitation by blog spammers [3]. During 2009, a new round of\r\nattacks has appeared and security researchers are reporting new bugs or\r\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\r\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\r\nreport that administrative privileges are still unchecked when accessing\r\nany PHP file inside a plugin folder.\r\n\r\n\r\n8.2. *Access Control Roles*\r\n\r\nWordPress has a privilege model where any user has an assigned role [8].\r\nRegarding plugins only users characterized by the role Administrator can\r\nactivate plugins. Notice that only the blog hosting owner can add new\r\nplugins because these must by copied inside the host filesystem. The\r\nroles Editor, Author or Subscriber (the latter has the least privileges)\r\ncannot activate plugins, edit plugins, update plugins nor delete plugins\r\ninstalled by an Administrator. Besides that, the configuration of\r\nspecific plugins is a grey area because there is no distinguished\r\ncapability assigned [8].\r\n\r\nAlso due to cross-site scripting vulnerabilities inside plugins options\r\n(something very common), non-administrative users reconfiguring plugins\r\nmay inject persistent JavaScript code. Possibly arbitrary native code\r\ncan be executed by the attacker if the blog administrator runs injected\r\nJavasScript code that injects PHP code. It is important to observe that\r\nmany WordPress-powered blogs are configured to allow any blog visitor to\r\ncreate a Subscriber user without confirmation from the Administrator\r\nrole inside the following URL, although by default the Administrator\r\nrole must create these new users.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-login.php?action=register\r\n- -----------/\r\n\r\n This can be modified by the administrator in 'Membership/Anyone can\r\nregister'.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\r\n(CVE-2009-2334, BID 35581)*\r\n\r\nNo privileges are checked on WordPress plugins configuration PHP modules\r\nusing parameter 'page' when we replace 'options-general.php' with\r\n'admin.php'. The same thing happens when replacing other modules such as\r\n'plugins.php' with 'admin.php'. Basic information disclosure is done\r\nthis way. For example, with the following URL a user with no privileges\r\ncan see the configuration of plugin Collapsing Archives, if installed.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Instead of the following allowed URL.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Another example of this information disclosure is shown on Akismet, a\r\nplugin shipped by default with WordPress.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\r\n- -----------/\r\n\r\n All plugins we have tested are vulnerable to this kind of information\r\ndisclosure, but in many of them the PHP files accessed just crashed. On\r\nthe other hand, for example, with capability 'import', privileges are\r\nchecked inside 'admin.php':\r\n\r\n/-----------\r\n\r\nif ( ! current_user_can('import') )\r\n wp_die(__('You are not allowed to import.'));\r\n- -----------/\r\n\r\n More dangerous scenarios exist, all of them can be exploited by users\r\nwith the Subscriber role, the least privileged.\r\n\r\n\r\n8.4. *Abuse example: XSS in plugin configuration module*\r\n\r\nIf installed, *Related Ways To Take Action* is an example of a WordPress\r\nplugin that is affected by many cross-site scripting vulnerabilities\r\n(XSS) that can be leveraged by an attacker using the unchecked\r\nprivileges described in this advisory to inject persistent JavaScript\r\ncode. Possibly, arbitrary native code can be executed by the attacker if\r\nthe blog administrator, when he/she logs in, runs injected JavasScript\r\ncode that edits blog PHP code. The original URL for reconfiguring the\r\nplugin can be accessed only by the Administrator role.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n But replacing the PHP file with the generic 'admin.php' any blog user\r\ncan modify this configuration.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n The following JavaScript injection can be entered within field *Exclude\r\nactions by term* to exemplify this kind of abuse. When the administrator\r\nenters the same page the injected browser code will be executed and\r\npossibly blog PHP can be modified to run arbitrary native code.\r\n\r\n/-----------\r\n\r\n\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref="\r\n\r\n- -----------/\r\n\r\n This is the worst scenario that we found for the vulnerability.\r\n\r\n\r\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\r\n\r\nIf installed, the WordPress Security Scanner Plugin dashboard can be\r\nviewed similarly by any user besides the administrator using the plugin\r\nconfiguration page URL without modification. This dashboard includes\r\ncommon default blog configuration settings that are insecure and should\r\nbe modified by the blog administrator or hosting.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\r\n\r\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\r\nreconfigured accessed with the same vulnerability.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\r\n- -----------/\r\n\r\n This gives an attacker the possibility to disable many features of the\r\nplugin, for example reactivate the forgotten password feature and\r\nreactivate the XML-RPC blog interface. Also you can deny the weblog\r\nservice by configuring this plugin to be overly sensitive, blocking any\r\nrequest. However the plugin cannot be totally disabled because the\r\nessential IDS parameters 'Maximum impact to ignore bad requests' and\r\n'Minimum impact to sanitize bad requests' are verified on the server\r\nside of the blog and cannot be distorted to deactivate the sanitizing or\r\nblocking features of the web IDS plugin.\r\n\r\n\r\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\r\n35584)*\r\n\r\nWordPress discriminates bad password from bad user logins, this reduces\r\nthe complexity of a brute force attack on WordPress blogs login\r\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\r\nwhen users use the forgotten mail interface to request a new password\r\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\r\nbe previously reported [6] but the WordPress team is refusing to modify\r\nthem alleging *user convenience*.\r\n\r\nDefault installation of WordPress 2.7.1 leaks the name of the user\r\nposting entries inside the HTML of the blog.\r\n\r\n/-----------\r\n\r\n <small>June 3rd, 2009 </small>\r\n- -----------/\r\n\r\n\r\n\r\nAlso several administrative modules give to anyone the complete path\r\nwhere the web application is hosted inside the server. This may simplify\r\nor enable other malicious attacks. An example follows.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-settings.php\r\n- -----------/\r\n\r\n\r\n\r\n/-----------\r\n\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\wp-settings.php on line 110\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\wp-settings.php on line 112\r\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\r\nfailed to open stream:\r\nNo such file or directory in [WP_LEAKED_PATH]\wp-settings.php on line 246\r\nFatal error: require() [function.require]: Failed opening required\r\n'ABSPATHwp-includes/compat.php'\r\n(include_path='.;[PHP_LEAKED_PATH]\php5\pear') in\r\n[WP_LEAKED_PATH]\wp-settings.php on line 246\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-06-04:\r\nCore Security Technologies notifies the WordPress team of the\r\nvulnerabilities (security@wordpress.org) and offers a technical\r\ndescription encrypted or in plain-text. Advisory is planned for\r\npublication on June 22th.\r\n\r\n. 2009-06-08:\r\nCore notifies again the WordPress team of the vulnerability.\r\n\r\n. 2009-06-10:\r\nThe WordPress team asks Core for a technical description of the\r\nvulnerability in plain-text.\r\n\r\n. 2009-06-11:\r\nTechnical details sent to WordPress team by Core.\r\n\r\n. 2009-06-11:\r\nWordPress team notifies Core that a fix was produced and is available to\r\nCore for testing. WordPress team asserts that password and username\r\ndiscrimination as well as username leakage are known and will not be\r\nfixed because they are convenient for the users.\r\n\r\n. 2009-06-12:\r\nCore tells the WordPress team that the patch will be tested by Core as a\r\ncourtesy as soon as possible. It also requests confirmation that\r\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\r\nthe flaws included in the advisory draft CORE-2009-0515.\r\n\r\n. 2009-06-12:\r\nWordPress team confirms that WordPress 2.8 and earlier plus\r\nWordPress.com are vulnerable to the flaws included in the advisory draft.\r\n\r\n. 2009-06-17:\r\nCore informs the WordPress team that the patch is only fixing one of the\r\nfour proof of concept abuses included in the advisory draft. Core\r\nreminds the WordPress team that the advisory is scheduled to be\r\npublished on June 22th but a new schedule can be discussed.\r\n\r\n. 2009-06-19:\r\nCore asks for a new patched version of WordPress, if available, and\r\nnotifies the WordPress team that the publication of the advisory was\r\nre-scheduled to June 30th.\r\n\r\n. 2009-06-19:\r\nWordPress team confirms they have a new patch that has the potential to\r\nbreak a lot of plugins.\r\n\r\n. 2009-06-29:\r\nWordPress team asks for a delayance on advisory CORE-2009-0515\r\npublication until July 6th, when WordPress MU version will be patched.\r\n\r\n. 2009-06-29:\r\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\r\n\r\n. 2009-06-29:\r\nCore tells the WordPress team that other administrative PHP modules can\r\nalso be rendered by non-administrative users, such as module\r\n'admin-post.php' and 'link-parse-opml.php'.\r\n\r\n. 2009-07-02:\r\nWordPress team comments that 'admin.php' and 'admin-post.php' are\r\nintentionally open and plugins can choose to hook either privileged or\r\nunprivileged actions. They also comment that unprivileged access to\r\n'link-parse-opml.php' is benign but having this file open is bad form.\r\n\r\n. 2009-07-02:\r\nCore sends the WordPress team a new draft of the advisory and comments\r\nthat there is no capability specified in Worpress documentation for\r\nconfiguring plugins. Also control of actions registered by plugins is\r\nnot enforced. Core also notices that the privileges unchecked bug in\r\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\r\nrelease.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress\r\n2.8.1 and WordPress MU 2.8.\r\n\r\n. 2009-07-07:\r\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\r\nmade available to users and that the advisory may be published.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress MU\r\nand WordPress MU new version numbers.\r\n\r\n. 2009-07-07:\r\nWordPress team release WordPress 2.8.1 RC1 to its users.\r\n\r\n. 2009-07-08:\r\nWordPress team confirms that WordPress MU 2.8.1 will be made available\r\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\r\n\r\n. 2009-07-08:\r\nThe advisory CORE-2009-0515 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] WordPress vulnerabilities in CVE database\r\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\r\n[2] SecuriTeam List of WordPress Vulnerabilities\r\nhttp://www.securiteam.com/products/W/Wordpress.html\r\n[3] WordPress Vulnerability - YBO Interactive Blog\r\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\r\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\r\nhttp://wordpress.org/support/topic/280748\r\n[5] Security breach - xkcd blog\r\nhttp://blag.xkcd.com/2009/06/18/security-breach/\r\n[6] securityvulns.com WordPress vulnerabilities digest in English\r\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\r\n[7] CVE-2008-0196\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\r\n[8] WordPress Roles and Capabilities\r\nhttp://codex.wordpress.org/Roles_and_Capabilities\r\n[9] WordPress Download Counter\r\nhttp://wordpress.org/download/counter/\r\n[10] WordPress Intrusion Detection System Plugin\r\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\r\n[11] Hardening WordPress with htaccess\r\nhttp://blogsecurity.net/wordpress/article-210607\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N\r\nTPRpR0Gn0WqmF8HOeDslbA8=\r\n=zEDK\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-07-09T00:00:00", "published": "2009-07-09T00:00:00", "id": "SECURITYVULNS:DOC:22142", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22142", "title": "CORE-2009-01515 - WordPress Privileges Unchecked in admin.php and Multiple Information", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-12T10:07:30", "description": " - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> -\n 2.8.1-1\n\n - updated to 2.8.1 for security fixes - BZ 510745\n\n - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> -\n 2.8-1\n\n - updated to 2.8\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2009-07-20T00:00:00", "title": "Fedora 11 : wordpress-2.8.1-1.fc11 (2009-7701)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-20T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wordpress", "cpe:/o:fedoraproject:fedora:11"], "id": "FEDORA_2009-7701.NASL", "href": "https://www.tenable.com/plugins/nessus/39856", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-7701.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39856);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_bugtraq_id(35584);\n script_xref(name:\"FEDORA\", value:\"2009-7701\");\n\n script_name(english:\"Fedora 11 : wordpress-2.8.1-1.fc11 (2009-7701)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> -\n 2.8.1-1\n\n - updated to 2.8.1 for security fixes - BZ 510745\n\n - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> -\n 2.8-1\n\n - updated to 2.8\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=510745\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026561.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ce20061\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^11([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 11.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC11\", reference:\"wordpress-2.8.1-1.fc11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:07:31", "description": " - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> -\n 2.8.1-1\n\n - updated to 2.8.1 for security fixes - BZ 510745\n\n - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> -\n 2.8-1\n\n - updated to 2.8\n\n - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at\n lists.fedoraproject.org> - 2.7.1-2\n\n - Rebuilt for\n https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\n\n - Wed Feb 11 2009 Adrian Reber <adrian at lisas.de> -\n 2.7.1-1\n\n - updated to 2.7.1\n\n - Wed Nov 26 2008 Adrian Reber <adrian at lisas.de> -\n 2.6.5-2\n\n - updated to 2.6.5\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "published": "2009-07-20T00:00:00", "title": "Fedora 10 : wordpress-2.8.1-1.fc10 (2009-7729)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-20T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:wordpress"], "id": "FEDORA_2009-7729.NASL", "href": "https://www.tenable.com/plugins/nessus/39859", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-7729.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39859);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_bugtraq_id(35584);\n script_xref(name:\"FEDORA\", value:\"2009-7729\");\n\n script_name(english:\"Fedora 10 : wordpress-2.8.1-1.fc10 (2009-7729)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fri Jul 10 2009 Adrian Reber <adrian at lisas.de> -\n 2.8.1-1\n\n - updated to 2.8.1 for security fixes - BZ 510745\n\n - Mon Jun 22 2009 Adrian Reber <adrian at lisas.de> -\n 2.8-1\n\n - updated to 2.8\n\n - Wed Feb 25 2009 Fedora Release Engineering <rel-eng at\n lists.fedoraproject.org> - 2.7.1-2\n\n - Rebuilt for\n https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\n\n - Wed Feb 11 2009 Adrian Reber <adrian at lisas.de> -\n 2.7.1-1\n\n - updated to 2.7.1\n\n - Wed Nov 26 2008 Adrian Reber <adrian at lisas.de> -\n 2.6.5-2\n\n - updated to 2.6.5\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=510745\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026605.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e8bdf78e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"wordpress-2.8.1-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:07:36", "description": "Update spans MU-versions for the following security releases from\nupstream:\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele\nase/\n\n - Backport of XSS fixes from WordPress 2.8.2 * Backport of\n security fixes for admin.php?page= bugs (CVE-2009-2334)\n Backport of security fixes for admin.php?page= bugs\n (CVE-2009-2334) Backport of security fixes for\n admin.php?page= bugs (CVE-2009-2334)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2009-08-18T00:00:00", "title": "Fedora 10 : wordpress-mu-2.8.4a-1.fc10 (2009-8538)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-08-18T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:wordpress-mu"], "id": "FEDORA_2009-8538.NASL", "href": "https://www.tenable.com/plugins/nessus/40601", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-8538.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40601);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_bugtraq_id(34075, 35581, 35584);\n script_xref(name:\"FEDORA\", value:\"2009-8538\");\n\n script_name(english:\"Fedora 10 : wordpress-mu-2.8.4a-1.fc10 (2009-8538)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update spans MU-versions for the following security releases from\nupstream:\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele\nase/\n\n - Backport of XSS fixes from WordPress 2.8.2 * Backport of\n security fixes for admin.php?page= bugs (CVE-2009-2334)\n Backport of security fixes for admin.php?page= bugs\n (CVE-2009-2334) Backport of security fixes for\n admin.php?page= bugs (CVE-2009-2334)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://wordpress.org/development/2009/08/2-8-4-security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wordpress.org/news/2009/08/2-8-4-security-release/\"\n );\n # http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ab4dc04\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=510745\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/027878.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?22ed89ca\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress-mu package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress-mu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/08/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"wordpress-mu-2.8.4a-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress-mu\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:07:36", "description": "Update spans MU-versions for the following security releases from\nupstream:\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele\nase/\n\n - Backport of XSS fixes from WordPress 2.8.2 * Backport of\n security fixes for admin.php?page= bugs (CVE-2009-2334)\n Backport of security fixes for admin.php?page= bugs\n (CVE-2009-2334) Backport of security fixes for\n admin.php?page= bugs (CVE-2009-2334)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2009-08-18T00:00:00", "title": "Fedora 11 : wordpress-mu-2.8.4a-1.fc11 (2009-8529)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-08-18T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wordpress-mu", "cpe:/o:fedoraproject:fedora:11"], "id": "FEDORA_2009-8529.NASL", "href": "https://www.tenable.com/plugins/nessus/40599", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-8529.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40599);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2334\", \"CVE-2009-2335\", \"CVE-2009-2336\");\n script_bugtraq_id(35581, 35584);\n script_xref(name:\"FEDORA\", value:\"2009-8529\");\n\n script_name(english:\"Fedora 11 : wordpress-mu-2.8.4a-1.fc11 (2009-8529)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update spans MU-versions for the following security releases from\nupstream:\nhttp://wordpress.org/development/2009/08/2-8-4-security-release/\nhttp://wordpress.org/development/2009/08/wordpress-2-8-3-security-rele\nase/\n\n - Backport of XSS fixes from WordPress 2.8.2 * Backport of\n security fixes for admin.php?page= bugs (CVE-2009-2334)\n Backport of security fixes for admin.php?page= bugs\n (CVE-2009-2334) Backport of security fixes for\n admin.php?page= bugs (CVE-2009-2334)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://wordpress.org/development/2009/08/2-8-4-security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wordpress.org/news/2009/08/2-8-4-security-release/\"\n );\n # http://wordpress.org/development/2009/08/wordpress-2-8-3-security-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ab4dc04\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=510745\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/027867.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d10c5281\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress-mu package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(16, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress-mu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/08/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^11([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 11.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC11\", reference:\"wordpress-mu-2.8.4a-1.fc11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress-mu\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T09:45:37", "description": "Several vulnerabilities have been discovered in wordpress, weblog\nmanager. The Common Vulnerabilities and Exposures project identifies\nthe following problems :\n\n - CVE-2008-6762\n It was discovered that wordpress is prone to an open\n redirect vulnerability which allows remote attackers to\n conduct phishing attacks.\n\n - CVE-2008-6767\n It was discovered that remote attackers had the ability\n to trigger an application upgrade, which could lead to a\n denial of service attack.\n\n - CVE-2009-2334\n It was discovered that wordpress lacks authentication\n checks in the plugin configuration, which might leak\n sensitive information.\n\n - CVE-2009-2854\n It was discovered that wordpress lacks authentication\n checks in various actions, thus allowing remote\n attackers to produce unauthorised edits or additions.\n\n - CVE-2009-2851\n It was discovered that the administrator interface is\n prone to a cross-site scripting attack.\n\n - CVE-2009-2853\n It was discovered that remote attackers can gain\n privileges via certain direct requests.\n\n - CVE-2008-1502\n It was discovered that the _bad_protocol_once function\n in KSES, as used by wordpress, allows remote attackers\n to perform cross-site scripting attacks.\n\n - CVE-2008-4106\n It was discovered that wordpress lacks certain checks\n around user information, which could be used by\n attackers to change the password of a user.\n\n - CVE-2008-4769\n It was discovered that the get_category_template\n function is prone to a directory traversal\n vulnerability, which could lead to the execution of\n arbitrary code.\n\n - CVE-2008-4796\n It was discovered that the _httpsrequest function in the\n embedded snoopy version is prone to the execution of\n arbitrary commands via shell metacharacters in https\n URLs.\n\n - CVE-2008-5113\n It was discovered that wordpress relies on the REQUEST\n superglobal array in certain dangerous situations, which\n makes it easier to perform attacks via crafted cookies.", "edition": 30, "published": "2010-02-24T00:00:00", "title": "Debian DSA-1871-1 : wordpress - several vulnerabilities ", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4769", "CVE-2009-2851", "CVE-2009-2334", "CVE-2008-6762", "CVE-2008-6767", "CVE-2008-4796", "CVE-2008-4106", "CVE-2009-2853", "CVE-2008-5113", "CVE-2008-1502", "CVE-2009-2854"], "modified": "2010-02-24T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "p-cpe:/a:debian:debian_linux:wordpress", "cpe:/o:debian:debian_linux:5.0"], "id": "DEBIAN_DSA-1871.NASL", "href": "https://www.tenable.com/plugins/nessus/44736", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1871. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44736);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-1502\", \"CVE-2008-4106\", \"CVE-2008-4769\", \"CVE-2008-4796\", \"CVE-2008-5113\", \"CVE-2008-6762\", \"CVE-2008-6767\", \"CVE-2009-2334\", \"CVE-2009-2851\", \"CVE-2009-2853\", \"CVE-2009-2854\");\n script_bugtraq_id(28599, 31068, 31887, 35584, 35935);\n script_xref(name:\"DSA\", value:\"1871\");\n\n script_name(english:\"Debian DSA-1871-1 : wordpress - several vulnerabilities \");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in wordpress, weblog\nmanager. The Common Vulnerabilities and Exposures project identifies\nthe following problems :\n\n - CVE-2008-6762\n It was discovered that wordpress is prone to an open\n redirect vulnerability which allows remote attackers to\n conduct phishing attacks.\n\n - CVE-2008-6767\n It was discovered that remote attackers had the ability\n to trigger an application upgrade, which could lead to a\n denial of service attack.\n\n - CVE-2009-2334\n It was discovered that wordpress lacks authentication\n checks in the plugin configuration, which might leak\n sensitive information.\n\n - CVE-2009-2854\n It was discovered that wordpress lacks authentication\n checks in various actions, thus allowing remote\n attackers to produce unauthorised edits or additions.\n\n - CVE-2009-2851\n It was discovered that the administrator interface is\n prone to a cross-site scripting attack.\n\n - CVE-2009-2853\n It was discovered that remote attackers can gain\n privileges via certain direct requests.\n\n - CVE-2008-1502\n It was discovered that the _bad_protocol_once function\n in KSES, as used by wordpress, allows remote attackers\n to perform cross-site scripting attacks.\n\n - CVE-2008-4106\n It was discovered that wordpress lacks certain checks\n around user information, which could be used by\n attackers to change the password of a user.\n\n - CVE-2008-4769\n It was discovered that the get_category_template\n function is prone to a directory traversal\n vulnerability, which could lead to the execution of\n arbitrary code.\n\n - CVE-2008-4796\n It was discovered that the _httpsrequest function in the\n embedded snoopy version is prone to the execution of\n arbitrary commands via shell metacharacters in https\n URLs.\n\n - CVE-2008-5113\n It was discovered that wordpress relies on the REQUEST\n superglobal array in certain dangerous situations, which\n makes it easier to perform attacks via crafted cookies.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536724\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504243\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500115\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504234\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-6762\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-6767\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-2334\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-2854\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-2851\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-2853\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-1502\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-4106\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-4769\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-4796\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-5113\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1871\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the wordpress packages.\n\nFor the oldstable distribution (etch), these problems have been fixed\nin version 2.0.10-1etch4.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.5.1-11+lenny1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Moodle <= 1.8.4 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(20, 22, 59, 79, 94, 264, 287, 352);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/03/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"wordpress\", reference:\"2.0.10-1etch4\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"wordpress\", reference:\"2.5.1-11+lenny1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:57", "description": "", "published": "2009-07-08T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2009.0515", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-08T00:00:00", "id": "PACKETSTORM:79033", "href": "https://packetstormsecurity.com/files/79033/Core-Security-Technologies-Advisory-2009.0515.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \nCore Security Technologies - CoreLabs Advisory \nhttp://www.coresecurity.com/corelabs/ \n \nWordPress Privileges Unchecked in admin.php and Multiple Information \nDisclosures \n \n \n \n1. *Advisory Information* \n \nTitle: WordPress Privileges Unchecked in admin.php and Multiple \nInformation Disclosures \nAdvisory ID: CORE-2009-0515 \nAdvisory URL: \nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked \nDate published: 2009-07-08 \nDate of last update: 2009-07-08 \nVendors contacted: WordPress \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Local file include, Privileges unchecked, Cross site scripting \n(XSS), Information disclosure \nRemotely Exploitable: Yes \nLocally Exploitable: No \nBugtraq ID: 35581, 35584 \nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336 \n \n \n3. *Vulnerability Description* \n \nWordPress is a web application written in PHP that allows the easy \ninstallation of a flexible weblog on any computer connected to the \nInternet. WordPress 2.7 reached more than 6 million downloads during \nJune 2009 [9]. \n \nA vulnerability was found in the way that WordPress handles some URL \nrequests. This results in unprivileged users viewing the content of \nplugins configuration pages, and also in some plugins modifying plugin \noptions and injecting JavaScript code. Arbitrary native code may be run \nby a malicious attacker if the blog administrator runs injected \nJavasScript code that edits blog PHP code. Many WordPress-powered blogs, \nhosted outside 'wordpress.com', allow any person to create unprivileged \nusers called subscribers. Other sensitive username information \ndisclosures were found in WordPress. \n \n \n4. *Vulnerable packages* \n \n. WordPress 2.8 and previous \n. WordPress MU 2.7.1 and previous, used in WordPress.com \n \n \n5. *Non-vulnerable packages* \n \n. WordPress 2.8.1 \n. WordPress MU 2.8.1, used in WordPress.com \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nMitigation for the Privileges Unchecked vulnerability (suggested by Core \nSecurity): this vulnerability may be mitigated by controlling access to \nfiles inside the 'wp-admin' folder. Access can be prohibited by using \nApache access control mechanism ('.htaccess' file), see guideline for \nmore information [11]. \n \n \n7. *Credits* \n \nThese vulnerabilities were discovered and researched by Fernando \nArnaboldi and Jos\u00e9 Orlicki from Core Security Technologies. Further \nresearch was made by Jose Orlicki from Core Security Technologies. \n \n \n8. *Technical Description / Proof of Concept Code* \n \n \n8.1. *Introduction* \n \nIn the last few years several security bugs were found in WordPress \n[1][2]. During 2008, the big amount of bugs reported by researchers lead \nto exploitation by blog spammers [3]. During 2009, a new round of \nattacks has appeared and security researchers are reporting new bugs or \nwrongly fixed previously-reported bugs [4][5]. A path traversal in local \nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we \nreport that administrative privileges are still unchecked when accessing \nany PHP file inside a plugin folder. \n \n \n8.2. *Access Control Roles* \n \nWordPress has a privilege model where any user has an assigned role [8]. \nRegarding plugins only users characterized by the role Administrator can \nactivate plugins. Notice that only the blog hosting owner can add new \nplugins because these must by copied inside the host filesystem. The \nroles Editor, Author or Subscriber (the latter has the least privileges) \ncannot activate plugins, edit plugins, update plugins nor delete plugins \ninstalled by an Administrator. Besides that, the configuration of \nspecific plugins is a grey area because there is no distinguished \ncapability assigned [8]. \n \nAlso due to cross-site scripting vulnerabilities inside plugins options \n(something very common), non-administrative users reconfiguring plugins \nmay inject persistent JavaScript code. Possibly arbitrary native code \ncan be executed by the attacker if the blog administrator runs injected \nJavasScript code that injects PHP code. It is important to observe that \nmany WordPress-powered blogs are configured to allow any blog visitor to \ncreate a Subscriber user without confirmation from the Administrator \nrole inside the following URL, although by default the Administrator \nrole must create these new users. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-login.php?action=register \n- -----------/ \n \nThis can be modified by the administrator in 'Membership/Anyone can \nregister'. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/options-general.php \n- -----------/ \n \n \n \n \n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes \n(CVE-2009-2334, BID 35581)* \n \nNo privileges are checked on WordPress plugins configuration PHP modules \nusing parameter 'page' when we replace 'options-general.php' with \n'admin.php'. The same thing happens when replacing other modules such as \n'plugins.php' with 'admin.php'. Basic information disclosure is done \nthis way. For example, with the following URL a user with no privileges \ncan see the configuration of plugin Collapsing Archives, if installed. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt \n- -----------/ \n \nInstead of the following allowed URL. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt \n- -----------/ \n \nAnother example of this information disclosure is shown on Akismet, a \nplugin shipped by default with WordPress. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt \n- -----------/ \n \nAll plugins we have tested are vulnerable to this kind of information \ndisclosure, but in many of them the PHP files accessed just crashed. On \nthe other hand, for example, with capability 'import', privileges are \nchecked inside 'admin.php': \n \n/----------- \n \nif ( ! current_user_can('import') ) \nwp_die(__('You are not allowed to import.')); \n- -----------/ \n \nMore dangerous scenarios exist, all of them can be exploited by users \nwith the Subscriber role, the least privileged. \n \n \n8.4. *Abuse example: XSS in plugin configuration module* \n \nIf installed, *Related Ways To Take Action* is an example of a WordPress \nplugin that is affected by many cross-site scripting vulnerabilities \n(XSS) that can be leveraged by an attacker using the unchecked \nprivileges described in this advisory to inject persistent JavaScript \ncode. Possibly, arbitrary native code can be executed by the attacker if \nthe blog administrator, when he/she logs in, runs injected JavasScript \ncode that edits blog PHP code. The original URL for reconfiguring the \nplugin can be accessed only by the Administrator role. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php \n- -----------/ \n \nBut replacing the PHP file with the generic 'admin.php' any blog user \ncan modify this configuration. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php \n- -----------/ \n \nThe following JavaScript injection can be entered within field *Exclude \nactions by term* to exemplify this kind of abuse. When the administrator \nenters the same page the injected browser code will be executed and \npossibly blog PHP can be modified to run arbitrary native code. \n \n/----------- \n \n\\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref=\" \n \n- -----------/ \n \nThis is the worst scenario that we found for the vulnerability. \n \n \n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard* \n \nIf installed, the WordPress Security Scanner Plugin dashboard can be \nviewed similarly by any user besides the administrator using the plugin \nconfiguration page URL without modification. This dashboard includes \ncommon default blog configuration settings that are insecure and should \nbe modified by the blog administrator or hosting. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php \n- -----------/ \n \n \n \n \n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project* \n \nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be \nreconfigured accessed with the same vulnerability. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php \n- -----------/ \n \nThis gives an attacker the possibility to disable many features of the \nplugin, for example reactivate the forgotten password feature and \nreactivate the XML-RPC blog interface. Also you can deny the weblog \nservice by configuring this plugin to be overly sensitive, blocking any \nrequest. However the plugin cannot be totally disabled because the \nessential IDS parameters 'Maximum impact to ignore bad requests' and \n'Minimum impact to sanitize bad requests' are verified on the server \nside of the blog and cannot be distorted to deactivate the sanitizing or \nblocking features of the web IDS plugin. \n \n \n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID \n35584)* \n \nWordPress discriminates bad password from bad user logins, this reduces \nthe complexity of a brute force attack on WordPress blogs login \n(CVE-2009-2335, BID 35584). The same user information disclosure happens \nwhen users use the forgotten mail interface to request a new password \n(CVE-2009-2336, same BID 35584). These information disclosures seem to \nbe previously reported [6] but the WordPress team is refusing to modify \nthem alleging *user convenience*. \n \nDefault installation of WordPress 2.7.1 leaks the name of the user \nposting entries inside the HTML of the blog. \n \n/----------- \n \n<small>June 3rd, 2009 </small> \n- -----------/ \n \n \n \nAlso several administrative modules give to anyone the complete path \nwhere the web application is hosted inside the server. This may simplify \nor enable other malicious attacks. An example follows. \n \n/----------- \n \nhttp://[some_wordpress_blog]/wp-settings.php \n- -----------/ \n \n \n \n/----------- \n \nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in \n[WP_LEAKED_PATH]\\wp-settings.php on line 110 \nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in \n[WP_LEAKED_PATH]\\wp-settings.php on line 112 \nWarning: require(ABSPATHwp-includes/compat.php) [function.require]: \nfailed to open stream: \nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246 \nFatal error: require() [function.require]: Failed opening required \n'ABSPATHwp-includes/compat.php' \n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in \n[WP_LEAKED_PATH]\\wp-settings.php on line 246 \n \n- -----------/ \n \n \n \n \n9. *Report Timeline* \n \n. 2009-06-04: \nCore Security Technologies notifies the WordPress team of the \nvulnerabilities (security@wordpress.org) and offers a technical \ndescription encrypted or in plain-text. Advisory is planned for \npublication on June 22th. \n \n. 2009-06-08: \nCore notifies again the WordPress team of the vulnerability. \n \n. 2009-06-10: \nThe WordPress team asks Core for a technical description of the \nvulnerability in plain-text. \n \n. 2009-06-11: \nTechnical details sent to WordPress team by Core. \n \n. 2009-06-11: \nWordPress team notifies Core that a fix was produced and is available to \nCore for testing. WordPress team asserts that password and username \ndiscrimination as well as username leakage are known and will not be \nfixed because they are convenient for the users. \n \n. 2009-06-12: \nCore tells the WordPress team that the patch will be tested by Core as a \ncourtesy as soon as possible. It also requests confirmation that \nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to \nthe flaws included in the advisory draft CORE-2009-0515. \n \n. 2009-06-12: \nWordPress team confirms that WordPress 2.8 and earlier plus \nWordPress.com are vulnerable to the flaws included in the advisory draft. \n \n. 2009-06-17: \nCore informs the WordPress team that the patch is only fixing one of the \nfour proof of concept abuses included in the advisory draft. Core \nreminds the WordPress team that the advisory is scheduled to be \npublished on June 22th but a new schedule can be discussed. \n \n. 2009-06-19: \nCore asks for a new patched version of WordPress, if available, and \nnotifies the WordPress team that the publication of the advisory was \nre-scheduled to June 30th. \n \n. 2009-06-19: \nWordPress team confirms they have a new patch that has the potential to \nbreak a lot of plugins. \n \n. 2009-06-29: \nWordPress team asks for a delayance on advisory CORE-2009-0515 \npublication until July 6th, when WordPress MU version will be patched. \n \n. 2009-06-29: \nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th. \n \n. 2009-06-29: \nCore tells the WordPress team that other administrative PHP modules can \nalso be rendered by non-administrative users, such as module \n'admin-post.php' and 'link-parse-opml.php'. \n \n. 2009-07-02: \nWordPress team comments that 'admin.php' and 'admin-post.php' are \nintentionally open and plugins can choose to hook either privileged or \nunprivileged actions. They also comment that unprivileged access to \n'link-parse-opml.php' is benign but having this file open is bad form. \n \n. 2009-07-02: \nCore sends the WordPress team a new draft of the advisory and comments \nthat there is no capability specified in Worpress documentation for \nconfiguring plugins. Also control of actions registered by plugins is \nnot enforced. Core also notices that the privileges unchecked bug in \n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development \nrelease. \n \n. 2009-07-06: \nCore requests WordPress confirmation of the release date of WordPress \n2.8.1 and WordPress MU 2.8. \n \n. 2009-07-07: \nWordPress team confirms that a release candidate of WordPress 2.8.1 is \nmade available to users and that the advisory may be published. \n \n. 2009-07-06: \nCore requests WordPress confirmation of the release date of WordPress MU \nand WordPress MU new version numbers. \n \n. 2009-07-07: \nWordPress team release WordPress 2.8.1 RC1 to its users. \n \n. 2009-07-08: \nWordPress team confirms that WordPress MU 2.8.1 will be made available \nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th. \n \n. 2009-07-08: \nThe advisory CORE-2009-0515 is published. \n \n \n \n10. *References* \n \n[1] WordPress vulnerabilities in CVE database \nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress \n[2] SecuriTeam List of WordPress Vulnerabilities \nhttp://www.securiteam.com/products/W/Wordpress.html \n[3] WordPress Vulnerability - YBO Interactive Blog \nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/ \n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1 \nhttp://wordpress.org/support/topic/280748 \n[5] Security breach - xkcd blog \nhttp://blag.xkcd.com/2009/06/18/security-breach/ \n[6] securityvulns.com WordPress vulnerabilities digest in English \nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded \n[7] CVE-2008-0196 \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196 \n[8] WordPress Roles and Capabilities \nhttp://codex.wordpress.org/Roles_and_Capabilities \n[9] WordPress Download Counter \nhttp://wordpress.org/download/counter/ \n[10] WordPress Intrusion Detection System Plugin \nhttp://php-ids.org/2008/02/21/wpids-version-012-released/ \n[11] Hardening WordPress with htaccess \nhttp://blogsecurity.net/wordpress/article-210607 \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://www.coresecurity.com/corelabs. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies develops strategic solutions that help \nsecurity-conscious organizations worldwide develop and maintain a \nproactive process for securing their networks. The company's flagship \nproduct, CORE IMPACT, is the most comprehensive product for performing \nenterprise security assurance testing. CORE IMPACT evaluates network, \nendpoint and end-user vulnerabilities and identifies what resources are \nexposed. It enables organizations to determine if current security \ninvestments are detecting and preventing attacks. Core Security \nTechnologies augments its leading technology solution with world-class \nsecurity consulting services, including penetration testing and software \nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core \nSecurity Technologies can be reached at 617-399-6980 or on the Web at \nhttp://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2009 Core Security \nTechnologies and (c) 2009 CoreLabs, and may be distributed freely \nprovided that no fee is charged for this distribution and proper credit \nis given. \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.6 (MingW32) \nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org \n \niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N \nTPRpR0Gn0WqmF8HOeDslbA8= \n=zEDK \n-----END PGP SIGNATURE----- \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/79033/CORE-2009-0515.txt"}], "seebug": [{"lastseen": "2017-11-19T18:44:22", "description": "No description provided by source.", "published": "2009-07-10T00:00:00", "type": "seebug", "title": "WordPress Privileges Unchecked in admin.php and Multiple Information", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-14855", "id": "SSV:14855", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\nWordPress Privileges Unchecked in admin.php and Multiple Information\r\nDisclosures\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\r\nInformation Disclosures\r\nAdvisory ID: CORE-2009-0515\r\nAdvisory URL:\r\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked\r\nDate published: 2009-07-08\r\nDate of last update: 2009-07-08\r\nVendors contacted: WordPress\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Local file include, Privileges unchecked, Cross site scripting\r\n(XSS), Information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35581, 35584\r\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWordPress is a web application written in PHP that allows the easy\r\ninstallation of a flexible weblog on any computer connected to the\r\nInternet. WordPress 2.7 reached more than 6 million downloads during\r\nJune 2009 [9].\r\n\r\nA vulnerability was found in the way that WordPress handles some URL\r\nrequests. This results in unprivileged users viewing the content of\r\nplugins configuration pages, and also in some plugins modifying plugin\r\noptions and injecting JavaScript code. Arbitrary native code may be run\r\nby a malicious attacker if the blog administrator runs injected\r\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\r\nhosted outside 'wordpress.com', allow any person to create unprivileged\r\nusers called subscribers. Other sensitive username information\r\ndisclosures were found in WordPress.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . WordPress 2.8 and previous\r\n . WordPress MU 2.7.1 and previous, used in WordPress.com\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . WordPress 2.8.1\r\n . WordPress MU 2.8.1, used in WordPress.com\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\r\nSecurity): this vulnerability may be mitigated by controlling access to\r\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\r\nApache access control mechanism ('.htaccess' file), see guideline for\r\nmore information [11].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Fernando\r\nArnaboldi and Jos\u00c3\u00a9 Orlicki from Core Security Technologies. Further\r\nresearch was made by Jose Orlicki from Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nIn the last few years several security bugs were found in WordPress\r\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\r\nto exploitation by blog spammers [3]. During 2009, a new round of\r\nattacks has appeared and security researchers are reporting new bugs or\r\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\r\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\r\nreport that administrative privileges are still unchecked when accessing\r\nany PHP file inside a plugin folder.\r\n\r\n\r\n8.2. *Access Control Roles*\r\n\r\nWordPress has a privilege model where any user has an assigned role [8].\r\nRegarding plugins only users characterized by the role Administrator can\r\nactivate plugins. Notice that only the blog hosting owner can add new\r\nplugins because these must by copied inside the host filesystem. The\r\nroles Editor, Author or Subscriber (the latter has the least privileges)\r\ncannot activate plugins, edit plugins, update plugins nor delete plugins\r\ninstalled by an Administrator. Besides that, the configuration of\r\nspecific plugins is a grey area because there is no distinguished\r\ncapability assigned [8].\r\n\r\nAlso due to cross-site scripting vulnerabilities inside plugins options\r\n(something very common), non-administrative users reconfiguring plugins\r\nmay inject persistent JavaScript code. Possibly arbitrary native code\r\ncan be executed by the attacker if the blog administrator runs injected\r\nJavasScript code that injects PHP code. It is important to observe that\r\nmany WordPress-powered blogs are configured to allow any blog visitor to\r\ncreate a Subscriber user without confirmation from the Administrator\r\nrole inside the following URL, although by default the Administrator\r\nrole must create these new users.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-login.php?action=register\r\n- -----------/\r\n\r\n This can be modified by the administrator in 'Membership/Anyone can\r\nregister'.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\r\n(CVE-2009-2334, BID 35581)*\r\n\r\nNo privileges are checked on WordPress plugins configuration PHP modules\r\nusing parameter 'page' when we replace 'options-general.php' with\r\n'admin.php'. The same thing happens when replacing other modules such as\r\n'plugins.php' with 'admin.php'. Basic information disclosure is done\r\nthis way. For example, with the following URL a user with no privileges\r\ncan see the configuration of plugin Collapsing Archives, if installed.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Instead of the following allowed URL.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Another example of this information disclosure is shown on Akismet, a\r\nplugin shipped by default with WordPress.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\r\n- -----------/\r\n\r\n All plugins we have tested are vulnerable to this kind of information\r\ndisclosure, but in many of them the PHP files accessed just crashed. On\r\nthe other hand, for example, with capability 'import', privileges are\r\nchecked inside 'admin.php':\r\n\r\n/-----------\r\n\r\nif ( ! current_user_can('import') )\r\n wp_die(__('You are not allowed to import.'));\r\n- -----------/\r\n\r\n More dangerous scenarios exist, all of them can be exploited by users\r\nwith the Subscriber role, the least privileged.\r\n\r\n\r\n8.4. *Abuse example: XSS in plugin configuration module*\r\n\r\nIf installed, *Related Ways To Take Action* is an example of a WordPress\r\nplugin that is affected by many cross-site scripting vulnerabilities\r\n(XSS) that can be leveraged by an attacker using the unchecked\r\nprivileges described in this advisory to inject persistent JavaScript\r\ncode. Possibly, arbitrary native code can be executed by the attacker if\r\nthe blog administrator, when he/she logs in, runs injected JavasScript\r\ncode that edits blog PHP code. The original URL for reconfiguring the\r\nplugin can be accessed only by the Administrator role.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n But replacing the PHP file with the generic 'admin.php' any blog user\r\ncan modify this configuration.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php\r\n- -----------/\r\n\r\n The following JavaScript injection can be entered within field *Exclude\r\nactions by term* to exemplify this kind of abuse. When the administrator\r\nenters the same page the injected browser code will be executed and\r\npossibly blog PHP can be modified to run arbitrary native code.\r\n\r\n/-----------\r\n\r\n\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref="\r\n\r\n- -----------/\r\n\r\n This is the worst scenario that we found for the vulnerability.\r\n\r\n\r\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\r\n\r\nIf installed, the WordPress Security Scanner Plugin dashboard can be\r\nviewed similarly by any user besides the administrator using the plugin\r\nconfiguration page URL without modification. This dashboard includes\r\ncommon default blog configuration settings that are insecure and should\r\nbe modified by the blog administrator or hosting.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\r\n\r\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\r\nreconfigured accessed with the same vulnerability.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\r\n- -----------/\r\n\r\n This gives an attacker the possibility to disable many features of the\r\nplugin, for example reactivate the forgotten password feature and\r\nreactivate the XML-RPC blog interface. Also you can deny the weblog\r\nservice by configuring this plugin to be overly sensitive, blocking any\r\nrequest. However the plugin cannot be totally disabled because the\r\nessential IDS parameters 'Maximum impact to ignore bad requests' and\r\n'Minimum impact to sanitize bad requests' are verified on the server\r\nside of the blog and cannot be distorted to deactivate the sanitizing or\r\nblocking features of the web IDS plugin.\r\n\r\n\r\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\r\n35584)*\r\n\r\nWordPress discriminates bad password from bad user logins, this reduces\r\nthe complexity of a brute force attack on WordPress blogs login\r\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\r\nwhen users use the forgotten mail interface to request a new password\r\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\r\nbe previously reported [6] but the WordPress team is refusing to modify\r\nthem alleging *user convenience*.\r\n\r\nDefault installation of WordPress 2.7.1 leaks the name of the user\r\nposting entries inside the HTML of the blog.\r\n\r\n/-----------\r\n\r\n <small>June 3rd, 2009 </small>\r\n- -----------/\r\n\r\n\r\n\r\nAlso several administrative modules give to anyone the complete path\r\nwhere the web application is hosted inside the server. This may simplify\r\nor enable other malicious attacks. An example follows.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-settings.php\r\n- -----------/\r\n\r\n\r\n\r\n/-----------\r\n\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 110\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 112\r\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\r\nfailed to open stream:\r\nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246\r\nFatal error: require() [function.require]: Failed opening required\r\n'ABSPATHwp-includes/compat.php'\r\n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 246\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-06-04:\r\nCore Security Technologies notifies the WordPress team of the\r\nvulnerabilities (security@wordpress.org) and offers a technical\r\ndescription encrypted or in plain-text. Advisory is planned for\r\npublication on June 22th.\r\n\r\n. 2009-06-08:\r\nCore notifies again the WordPress team of the vulnerability.\r\n\r\n. 2009-06-10:\r\nThe WordPress team asks Core for a technical description of the\r\nvulnerability in plain-text.\r\n\r\n. 2009-06-11:\r\nTechnical details sent to WordPress team by Core.\r\n\r\n. 2009-06-11:\r\nWordPress team notifies Core that a fix was produced and is available to\r\nCore for testing. WordPress team asserts that password and username\r\ndiscrimination as well as username leakage are known and will not be\r\nfixed because they are convenient for the users.\r\n\r\n. 2009-06-12:\r\nCore tells the WordPress team that the patch will be tested by Core as a\r\ncourtesy as soon as possible. It also requests confirmation that\r\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\r\nthe flaws included in the advisory draft CORE-2009-0515.\r\n\r\n. 2009-06-12:\r\nWordPress team confirms that WordPress 2.8 and earlier plus\r\nWordPress.com are vulnerable to the flaws included in the advisory draft.\r\n\r\n. 2009-06-17:\r\nCore informs the WordPress team that the patch is only fixing one of the\r\nfour proof of concept abuses included in the advisory draft. Core\r\nreminds the WordPress team that the advisory is scheduled to be\r\npublished on June 22th but a new schedule can be discussed.\r\n\r\n. 2009-06-19:\r\nCore asks for a new patched version of WordPress, if available, and\r\nnotifies the WordPress team that the publication of the advisory was\r\nre-scheduled to June 30th.\r\n\r\n. 2009-06-19:\r\nWordPress team confirms they have a new patch that has the potential to\r\nbreak a lot of plugins.\r\n\r\n. 2009-06-29:\r\nWordPress team asks for a delayance on advisory CORE-2009-0515\r\npublication until July 6th, when WordPress MU version will be patched.\r\n\r\n. 2009-06-29:\r\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\r\n\r\n. 2009-06-29:\r\nCore tells the WordPress team that other administrative PHP modules can\r\nalso be rendered by non-administrative users, such as module\r\n'admin-post.php' and 'link-parse-opml.php'.\r\n\r\n. 2009-07-02:\r\nWordPress team comments that 'admin.php' and 'admin-post.php' are\r\nintentionally open and plugins can choose to hook either privileged or\r\nunprivileged actions. They also comment that unprivileged access to\r\n'link-parse-opml.php' is benign but having this file open is bad form.\r\n\r\n. 2009-07-02:\r\nCore sends the WordPress team a new draft of the advisory and comments\r\nthat there is no capability specified in Worpress documentation for\r\nconfiguring plugins. Also control of actions registered by plugins is\r\nnot enforced. Core also notices that the privileges unchecked bug in\r\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\r\nrelease.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress\r\n2.8.1 and WordPress MU 2.8.\r\n\r\n. 2009-07-07:\r\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\r\nmade available to users and that the advisory may be published.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress MU\r\nand WordPress MU new version numbers.\r\n\r\n. 2009-07-07:\r\nWordPress team release WordPress 2.8.1 RC1 to its users.\r\n\r\n. 2009-07-08:\r\nWordPress team confirms that WordPress MU 2.8.1 will be made available\r\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\r\n\r\n. 2009-07-08:\r\nThe advisory CORE-2009-0515 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] WordPress vulnerabilities in CVE database\r\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\r\n[2] SecuriTeam List of WordPress Vulnerabilities\r\nhttp://www.securiteam.com/products/W/Wordpress.html\r\n[3] WordPress Vulnerability - YBO Interactive Blog\r\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\r\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\r\nhttp://wordpress.org/support/topic/280748\r\n[5] Security breach - xkcd blog\r\nhttp://blag.xkcd.com/2009/06/18/security-breach/\r\n[6] securityvulns.com WordPress vulnerabilities digest in English\r\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\r\n[7] CVE-2008-0196\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\r\n[8] WordPress Roles and Capabilities\r\nhttp://codex.wordpress.org/Roles_and_Capabilities\r\n[9] WordPress Download Counter\r\nhttp://wordpress.org/download/counter/\r\n[10] WordPress Intrusion Detection System Plugin\r\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\r\n[11] Hardening WordPress with htaccess\r\nhttp://blogsecurity.net/wordpress/article-210607\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N\r\nTPRpR0Gn0WqmF8HOeDslbA8=\r\n=zEDK\r\n-----END PGP SIGNATURE-----\r\n\r\n# sebug.net\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-14855", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T18:44:34", "description": "No description provided by source.", "published": "2009-07-09T00:00:00", "type": "seebug", "title": "WordPress Privileges Unchecked in admin.php and Multiple Information Disclosures", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11777", "id": "SSV:11777", "sourceData": "\n WordPress Privileges Unchecked in admin.php and Multiple Information\r\nDisclosures\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\r\nInformation Disclosures\r\nAdvisory ID: CORE-2009-0515\r\nAdvisory URL:\r\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Pr \\\r\nivileges_Unchecked Date published: 2009-07-08\r\nDate of last update: 2009-07-08\r\nVendors contacted: WordPress\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Local file include, Privileges unchecked, Cross site scripting\r\n(XSS), Information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 35581, 35584\r\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nWordPress is a web application written in PHP that allows the easy\r\ninstallation of a flexible weblog on any computer connected to the\r\nInternet. WordPress 2.7 reached more than 6 million downloads during\r\nJune 2009 [9].\r\n\r\nA vulnerability was found in the way that WordPress handles some URL\r\nrequests. This results in unprivileged users viewing the content of\r\nplugins configuration pages, and also in some plugins modifying plugin\r\noptions and injecting JavaScript code. Arbitrary native code may be run\r\nby a malicious attacker if the blog administrator runs injected\r\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\r\nhosted outside 'wordpress.com', allow any person to create unprivileged\r\nusers called subscribers. Other sensitive username information\r\ndisclosures were found in WordPress.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . WordPress 2.8 and previous\r\n . WordPress MU 2.7.1 and previous, used in WordPress.com\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . WordPress 2.8.1\r\n . WordPress MU 2.8.1, used in WordPress.com\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\r\nSecurity): this vulnerability may be mitigated by controlling access to\r\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\r\nApache access control mechanism ('.htaccess' file), see guideline for\r\nmore information [11].\r\n\r\n\r\n7. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Fernando\r\nArnaboldi and Jos\u00e9 Orlicki from Core Security Technologies. Further\r\nresearch was made by Jose Orlicki from Core Security Technologies.\r\n\r\n\r\n8. *Technical Description / Proof of Concept Code*\r\n\r\n\r\n8.1. *Introduction*\r\n\r\nIn the last few years several security bugs were found in WordPress\r\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\r\nto exploitation by blog spammers [3]. During 2009, a new round of\r\nattacks has appeared and security researchers are reporting new bugs or\r\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\r\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\r\nreport that administrative privileges are still unchecked when accessing\r\nany PHP file inside a plugin folder.\r\n\r\n\r\n8.2. *Access Control Roles*\r\n\r\nWordPress has a privilege model where any user has an assigned role [8].\r\nRegarding plugins only users characterized by the role Administrator can\r\nactivate plugins. Notice that only the blog hosting owner can add new\r\nplugins because these must by copied inside the host filesystem. The\r\nroles Editor, Author or Subscriber (the latter has the least privileges)\r\ncannot activate plugins, edit plugins, update plugins nor delete plugins\r\ninstalled by an Administrator. Besides that, the configuration of\r\nspecific plugins is a grey area because there is no distinguished\r\ncapability assigned [8].\r\n\r\nAlso due to cross-site scripting vulnerabilities inside plugins options\r\n(something very common), non-administrative users reconfiguring plugins\r\nmay inject persistent JavaScript code. Possibly arbitrary native code\r\ncan be executed by the attacker if the blog administrator runs injected\r\nJavasScript code that injects PHP code. It is important to observe that\r\nmany WordPress-powered blogs are configured to allow any blog visitor to\r\ncreate a Subscriber user without confirmation from the Administrator\r\nrole inside the following URL, although by default the Administrator\r\nrole must create these new users.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-login.php?action=register\r\n- -----------/\r\n\r\n This can be modified by the administrator in 'Membership/Anyone can\r\nregister'.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\r\n(CVE-2009-2334, BID 35581)*\r\n\r\nNo privileges are checked on WordPress plugins configuration PHP modules\r\nusing parameter 'page' when we replace 'options-general.php' with\r\n'admin.php'. The same thing happens when replacing other modules such as\r\n'plugins.php' with 'admin.php'. Basic information disclosure is done\r\nthis way. For example, with the following URL a user with no privileges\r\ncan see the configuration of plugin Collapsing Archives, if installed.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\r\n- -----------/\r\n\r\n Instead of the following allowed URL.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/opt \\\r\n ions.txt\r\n- -----------/\r\n\r\n Another example of this information disclosure is shown on Akismet, a\r\nplugin shipped by default with WordPress.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\r\n- -----------/\r\n\r\n All plugins we have tested are vulnerable to this kind of information\r\ndisclosure, but in many of them the PHP files accessed just crashed. On\r\nthe other hand, for example, with capability 'import', privileges are\r\nchecked inside 'admin.php':\r\n\r\n/-----------\r\n\r\nif ( ! current_user_can('import') )\r\n wp_die(__('You are not allowed to import.'));\r\n- -----------/\r\n\r\n More dangerous scenarios exist, all of them can be exploited by users\r\nwith the Subscriber role, the least privileged.\r\n\r\n\r\n8.4. *Abuse example: XSS in plugin configuration module*\r\n\r\nIf installed, *Related Ways To Take Action* is an example of a WordPress\r\nplugin that is affected by many cross-site scripting vulnerabilities\r\n(XSS) that can be leveraged by an attacker using the unchecked\r\nprivileges described in this advisory to inject persistent JavaScript\r\ncode. Possibly, arbitrary native code can be executed by the attacker if\r\nthe blog administrator, when he/she logs in, runs injected JavasScript\r\ncode that edits blog PHP code. The original URL for reconfiguring the\r\nplugin can be accessed only by the Administrator role.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways- \\\r\n to-take-action/options.php\r\n- -----------/\r\n\r\n But replacing the PHP file with the generic 'admin.php' any blog user\r\ncan modify this configuration.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/optio \\\r\n ns.php\r\n- -----------/\r\n\r\n The following JavaScript injection can be entered within field *Exclude\r\nactions by term* to exemplify this kind of abuse. When the administrator\r\nenters the same page the injected browser code will be executed and\r\npossibly blog PHP can be modified to run arbitrary native code.\r\n\r\n/-----------\r\n\r\n\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode( \\\r\n83))</script><ahref="\r\n\r\n- -----------/\r\n\r\n This is the worst scenario that we found for the vulnerability.\r\n\r\n\r\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\r\n\r\nIf installed, the WordPress Security Scanner Plugin dashboard can be\r\nviewed similarly by any user besides the administrator using the plugin\r\nconfiguration page URL without modification. This dashboard includes\r\ncommon default blog configuration settings that are insecure and should\r\nbe modified by the blog administrator or hosting.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php \\\r\n \r\n- -----------/\r\n\r\n\r\n\r\n\r\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\r\n\r\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\r\nreconfigured accessed with the same vulnerability.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\r\n- -----------/\r\n\r\n This gives an attacker the possibility to disable many features of the\r\nplugin, for example reactivate the forgotten password feature and\r\nreactivate the XML-RPC blog interface. Also you can deny the weblog\r\nservice by configuring this plugin to be overly sensitive, blocking any\r\nrequest. However the plugin cannot be totally disabled because the\r\nessential IDS parameters 'Maximum impact to ignore bad requests' and\r\n'Minimum impact to sanitize bad requests' are verified on the server\r\nside of the blog and cannot be distorted to deactivate the sanitizing or\r\nblocking features of the web IDS plugin.\r\n\r\n\r\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\r\n35584)*\r\n\r\nWordPress discriminates bad password from bad user logins, this reduces\r\nthe complexity of a brute force attack on WordPress blogs login\r\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\r\nwhen users use the forgotten mail interface to request a new password\r\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\r\nbe previously reported [6] but the WordPress team is refusing to modify\r\nthem alleging *user convenience*.\r\n\r\nDefault installation of WordPress 2.7.1 leaks the name of the user\r\nposting entries inside the HTML of the blog.\r\n\r\n/-----------\r\n\r\n <small>June 3rd, 2009 </small>\r\n- -----------/\r\n\r\n\r\n\r\nAlso several administrative modules give to anyone the complete path\r\nwhere the web application is hosted inside the server. This may simplify\r\nor enable other malicious attacks. An example follows.\r\n\r\n/-----------\r\n\r\nhttp://[some_wordpress_blog]/wp-settings.php\r\n- -----------/\r\n\r\n\r\n\r\n/-----------\r\n\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 110\r\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 112\r\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\r\nfailed to open stream:\r\nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246\r\nFatal error: require() [function.require]: Failed opening required\r\n'ABSPATHwp-includes/compat.php'\r\n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in\r\n[WP_LEAKED_PATH]\\wp-settings.php on line 246\r\n\r\n- -----------/\r\n\r\n\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-06-04:\r\nCore Security Technologies notifies the WordPress team of the\r\nvulnerabilities (security@wordpress.org) and offers a technical\r\ndescription encrypted or in plain-text. Advisory is planned for\r\npublication on June 22th.\r\n\r\n. 2009-06-08:\r\nCore notifies again the WordPress team of the vulnerability.\r\n\r\n. 2009-06-10:\r\nThe WordPress team asks Core for a technical description of the\r\nvulnerability in plain-text.\r\n\r\n. 2009-06-11:\r\nTechnical details sent to WordPress team by Core.\r\n\r\n. 2009-06-11:\r\nWordPress team notifies Core that a fix was produced and is available to\r\nCore for testing. WordPress team asserts that password and username\r\ndiscrimination as well as username leakage are known and will not be\r\nfixed because they are convenient for the users.\r\n\r\n. 2009-06-12:\r\nCore tells the WordPress team that the patch will be tested by Core as a\r\ncourtesy as soon as possible. It also requests confirmation that\r\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\r\nthe flaws included in the advisory draft CORE-2009-0515.\r\n\r\n. 2009-06-12:\r\nWordPress team confirms that WordPress 2.8 and earlier plus\r\nWordPress.com are vulnerable to the flaws included in the advisory draft.\r\n\r\n. 2009-06-17:\r\nCore informs the WordPress team that the patch is only fixing one of the\r\nfour proof of concept abuses included in the advisory draft. Core\r\nreminds the WordPress team that the advisory is scheduled to be\r\npublished on June 22th but a new schedule can be discussed.\r\n\r\n. 2009-06-19:\r\nCore asks for a new patched version of WordPress, if available, and\r\nnotifies the WordPress team that the publication of the advisory was\r\nre-scheduled to June 30th.\r\n\r\n. 2009-06-19:\r\nWordPress team confirms they have a new patch that has the potential to\r\nbreak a lot of plugins.\r\n\r\n. 2009-06-29:\r\nWordPress team asks for a delayance on advisory CORE-2009-0515\r\npublication until July 6th, when WordPress MU version will be patched.\r\n\r\n. 2009-06-29:\r\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\r\n\r\n. 2009-06-29:\r\nCore tells the WordPress team that other administrative PHP modules can\r\nalso be rendered by non-administrative users, such as module\r\n'admin-post.php' and 'link-parse-opml.php'.\r\n\r\n. 2009-07-02:\r\nWordPress team comments that 'admin.php' and 'admin-post.php' are\r\nintentionally open and plugins can choose to hook either privileged or\r\nunprivileged actions. They also comment that unprivileged access to\r\n'link-parse-opml.php' is benign but having this file open is bad form.\r\n\r\n. 2009-07-02:\r\nCore sends the WordPress team a new draft of the advisory and comments\r\nthat there is no capability specified in Worpress documentation for\r\nconfiguring plugins. Also control of actions registered by plugins is\r\nnot enforced. Core also notices that the privileges unchecked bug in\r\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\r\nrelease.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress\r\n2.8.1 and WordPress MU 2.8.\r\n\r\n. 2009-07-07:\r\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\r\nmade available to users and that the advisory may be published.\r\n\r\n. 2009-07-06:\r\nCore requests WordPress confirmation of the release date of WordPress MU\r\nand WordPress MU new version numbers.\r\n\r\n. 2009-07-07:\r\nWordPress team release WordPress 2.8.1 RC1 to its users.\r\n\r\n. 2009-07-08:\r\nWordPress team confirms that WordPress MU 2.8.1 will be made available\r\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\r\n\r\n. 2009-07-08:\r\nThe advisory CORE-2009-0515 is published.\r\n\r\n\r\n\r\n10. *References*\r\n\r\n[1] WordPress vulnerabilities in CVE database\r\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\r\n[2] SecuriTeam List of WordPress Vulnerabilities\r\nhttp://www.securiteam.com/products/W/Wordpress.html\r\n[3] WordPress Vulnerability - YBO Interactive Blog\r\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\r\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\r\nhttp://wordpress.org/support/topic/280748\r\n[5] Security breach - xkcd blog\r\nhttp://blag.xkcd.com/2009/06/18/security-breach/\r\n[6] securityvulns.com WordPress vulnerabilities digest in English\r\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\r\n[7] CVE-2008-0196\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\r\n[8] WordPress Roles and Capabilities\r\nhttp://codex.wordpress.org/Roles_and_Capabilities\r\n[9] WordPress Download Counter\r\nhttp://wordpress.org/download/counter/\r\n[10] WordPress Intrusion Detection System Plugin\r\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\r\n[11] Hardening WordPress with htaccess\r\nhttp://blogsecurity.net/wordpress/article-210607\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11777", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:05:05", "description": "\nWordPress Core MU Plugins - admin.php Privileges Unchecked Multiple Information Disclosures", "edition": 1, "published": "2009-07-10T00:00:00", "title": "WordPress Core MU Plugins - admin.php Privileges Unchecked Multiple Information Disclosures", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0196", "CVE-2009-2334", "CVE-2009-2335", "CVE-2009-2336"], "modified": "2009-07-10T00:00:00", "id": "EXPLOITPACK:EA9973B6F5F19BFE8F3E86AA281A9086", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\nWordPress Privileges Unchecked in admin.php and Multiple Information\nDisclosures\n\n\n\n1. *Advisory Information*\n\nTitle: WordPress Privileges Unchecked in admin.php and Multiple\nInformation Disclosures\nAdvisory ID: CORE-2009-0515\nAdvisory URL:\nhttp://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked\nDate published: 2009-07-08\nDate of last update: 2009-07-08\nVendors contacted: WordPress\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Local file include, Privileges unchecked, Cross site scripting\n(XSS), Information disclosure\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 35581, 35584\nCVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336\n\n\n3. *Vulnerability Description*\n\nWordPress is a web application written in PHP that allows the easy\ninstallation of a flexible weblog on any computer connected to the\nInternet. WordPress 2.7 reached more than 6 million downloads during\nJune 2009 [9].\n\nA vulnerability was found in the way that WordPress handles some URL\nrequests. This results in unprivileged users viewing the content of\nplugins configuration pages, and also in some plugins modifying plugin\noptions and injecting JavaScript code. Arbitrary native code may be run\nby a malicious attacker if the blog administrator runs injected\nJavasScript code that edits blog PHP code. Many WordPress-powered blogs,\nhosted outside 'wordpress.com', allow any person to create unprivileged\nusers called subscribers. Other sensitive username information\ndisclosures were found in WordPress.\n\n\n4. *Vulnerable packages*\n\n . WordPress 2.8 and previous\n . WordPress MU 2.7.1 and previous, used in WordPress.com\n\n\n5. *Non-vulnerable packages*\n\n . WordPress 2.8.1\n . WordPress MU 2.8.1, used in WordPress.com\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nMitigation for the Privileges Unchecked vulnerability (suggested by Core\nSecurity): this vulnerability may be mitigated by controlling access to\nfiles inside the 'wp-admin' folder. Access can be prohibited by using\nApache access control mechanism ('.htaccess' file), see guideline for\nmore information [11].\n\n\n7. *Credits*\n\nThese vulnerabilities were discovered and researched by Fernando\nArnaboldi and Jos\u00c3\u00a9 Orlicki from Core Security Technologies. Further\nresearch was made by Jose Orlicki from Core Security Technologies.\n\n\n8. *Technical Description / Proof of Concept Code*\n\n\n8.1. *Introduction*\n\nIn the last few years several security bugs were found in WordPress\n[1][2]. During 2008, the big amount of bugs reported by researchers lead\nto exploitation by blog spammers [3]. During 2009, a new round of\nattacks has appeared and security researchers are reporting new bugs or\nwrongly fixed previously-reported bugs [4][5]. A path traversal in local\nfiles included by 'admin.php' has been fixed [6][7] but, in our case, we\nreport that administrative privileges are still unchecked when accessing\nany PHP file inside a plugin folder.\n\n\n8.2. *Access Control Roles*\n\nWordPress has a privilege model where any user has an assigned role [8].\nRegarding plugins only users characterized by the role Administrator can\nactivate plugins. Notice that only the blog hosting owner can add new\nplugins because these must by copied inside the host filesystem. The\nroles Editor, Author or Subscriber (the latter has the least privileges)\ncannot activate plugins, edit plugins, update plugins nor delete plugins\ninstalled by an Administrator. Besides that, the configuration of\nspecific plugins is a grey area because there is no distinguished\ncapability assigned [8].\n\nAlso due to cross-site scripting vulnerabilities inside plugins options\n(something very common), non-administrative users reconfiguring plugins\nmay inject persistent JavaScript code. Possibly arbitrary native code\ncan be executed by the attacker if the blog administrator runs injected\nJavasScript code that injects PHP code. It is important to observe that\nmany WordPress-powered blogs are configured to allow any blog visitor to\ncreate a Subscriber user without confirmation from the Administrator\nrole inside the following URL, although by default the Administrator\nrole must create these new users.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-login.php?action=register\n- -----------/\n\n This can be modified by the administrator in 'Membership/Anyone can\nregister'.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/options-general.php\n- -----------/\n\n\n\n\n8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes\n(CVE-2009-2334, BID 35581)*\n\nNo privileges are checked on WordPress plugins configuration PHP modules\nusing parameter 'page' when we replace 'options-general.php' with\n'admin.php'. The same thing happens when replacing other modules such as\n'plugins.php' with 'admin.php'. Basic information disclosure is done\nthis way. For example, with the following URL a user with no privileges\ncan see the configuration of plugin Collapsing Archives, if installed.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt\n- -----------/\n\n Instead of the following allowed URL.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt\n- -----------/\n\n Another example of this information disclosure is shown on Akismet, a\nplugin shipped by default with WordPress.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt\n- -----------/\n\n All plugins we have tested are vulnerable to this kind of information\ndisclosure, but in many of them the PHP files accessed just crashed. On\nthe other hand, for example, with capability 'import', privileges are\nchecked inside 'admin.php':\n\n/-----------\n\nif ( ! current_user_can('import') )\n wp_die(__('You are not allowed to import.'));\n- -----------/\n\n More dangerous scenarios exist, all of them can be exploited by users\nwith the Subscriber role, the least privileged.\n\n\n8.4. *Abuse example: XSS in plugin configuration module*\n\nIf installed, *Related Ways To Take Action* is an example of a WordPress\nplugin that is affected by many cross-site scripting vulnerabilities\n(XSS) that can be leveraged by an attacker using the unchecked\nprivileges described in this advisory to inject persistent JavaScript\ncode. Possibly, arbitrary native code can be executed by the attacker if\nthe blog administrator, when he/she logs in, runs injected JavasScript\ncode that edits blog PHP code. The original URL for reconfiguring the\nplugin can be accessed only by the Administrator role.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php\n- -----------/\n\n But replacing the PHP file with the generic 'admin.php' any blog user\ncan modify this configuration.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php\n- -----------/\n\n The following JavaScript injection can be entered within field *Exclude\nactions by term* to exemplify this kind of abuse. When the administrator\nenters the same page the injected browser code will be executed and\npossibly blog PHP can be modified to run arbitrary native code.\n\n/-----------\n\n\\\"/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref=\"\n\n- -----------/\n\n This is the worst scenario that we found for the vulnerability.\n\n\n8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*\n\nIf installed, the WordPress Security Scanner Plugin dashboard can be\nviewed similarly by any user besides the administrator using the plugin\nconfiguration page URL without modification. This dashboard includes\ncommon default blog configuration settings that are insecure and should\nbe modified by the blog administrator or hosting.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php\n- -----------/\n\n\n\n\n8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*\n\nIf installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be\nreconfigured accessed with the same vulnerability.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php\n- -----------/\n\n This gives an attacker the possibility to disable many features of the\nplugin, for example reactivate the forgotten password feature and\nreactivate the XML-RPC blog interface. Also you can deny the weblog\nservice by configuring this plugin to be overly sensitive, blocking any\nrequest. However the plugin cannot be totally disabled because the\nessential IDS parameters 'Maximum impact to ignore bad requests' and\n'Minimum impact to sanitize bad requests' are verified on the server\nside of the blog and cannot be distorted to deactivate the sanitizing or\nblocking features of the web IDS plugin.\n\n\n8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID\n35584)*\n\nWordPress discriminates bad password from bad user logins, this reduces\nthe complexity of a brute force attack on WordPress blogs login\n(CVE-2009-2335, BID 35584). The same user information disclosure happens\nwhen users use the forgotten mail interface to request a new password\n(CVE-2009-2336, same BID 35584). These information disclosures seem to\nbe previously reported [6] but the WordPress team is refusing to modify\nthem alleging *user convenience*.\n\nDefault installation of WordPress 2.7.1 leaks the name of the user\nposting entries inside the HTML of the blog.\n\n/-----------\n\n <small>June 3rd, 2009 </small>\n- -----------/\n\n\n\nAlso several administrative modules give to anyone the complete path\nwhere the web application is hosted inside the server. This may simplify\nor enable other malicious attacks. An example follows.\n\n/-----------\n\nhttp://[some_wordpress_blog]/wp-settings.php\n- -----------/\n\n\n\n/-----------\n\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\n[WP_LEAKED_PATH]\\wp-settings.php on line 110\nNotice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in\n[WP_LEAKED_PATH]\\wp-settings.php on line 112\nWarning: require(ABSPATHwp-includes/compat.php) [function.require]:\nfailed to open stream:\nNo such file or directory in [WP_LEAKED_PATH]\\wp-settings.php on line 246\nFatal error: require() [function.require]: Failed opening required\n'ABSPATHwp-includes/compat.php'\n(include_path='.;[PHP_LEAKED_PATH]\\php5\\pear') in\n[WP_LEAKED_PATH]\\wp-settings.php on line 246\n\n- -----------/\n\n\n\n\n9. *Report Timeline*\n\n. 2009-06-04:\nCore Security Technologies notifies the WordPress team of the\nvulnerabilities (security@wordpress.org) and offers a technical\ndescription encrypted or in plain-text. Advisory is planned for\npublication on June 22th.\n\n. 2009-06-08:\nCore notifies again the WordPress team of the vulnerability.\n\n. 2009-06-10:\nThe WordPress team asks Core for a technical description of the\nvulnerability in plain-text.\n\n. 2009-06-11:\nTechnical details sent to WordPress team by Core.\n\n. 2009-06-11:\nWordPress team notifies Core that a fix was produced and is available to\nCore for testing. WordPress team asserts that password and username\ndiscrimination as well as username leakage are known and will not be\nfixed because they are convenient for the users.\n\n. 2009-06-12:\nCore tells the WordPress team that the patch will be tested by Core as a\ncourtesy as soon as possible. It also requests confirmation that\nWordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to\nthe flaws included in the advisory draft CORE-2009-0515.\n\n. 2009-06-12:\nWordPress team confirms that WordPress 2.8 and earlier plus\nWordPress.com are vulnerable to the flaws included in the advisory draft.\n\n. 2009-06-17:\nCore informs the WordPress team that the patch is only fixing one of the\nfour proof of concept abuses included in the advisory draft. Core\nreminds the WordPress team that the advisory is scheduled to be\npublished on June 22th but a new schedule can be discussed.\n\n. 2009-06-19:\nCore asks for a new patched version of WordPress, if available, and\nnotifies the WordPress team that the publication of the advisory was\nre-scheduled to June 30th.\n\n. 2009-06-19:\nWordPress team confirms they have a new patch that has the potential to\nbreak a lot of plugins.\n\n. 2009-06-29:\nWordPress team asks for a delayance on advisory CORE-2009-0515\npublication until July 6th, when WordPress MU version will be patched.\n\n. 2009-06-29:\nCore agrees to delay publication of advisory CORE-2009-0515 until July 6th.\n\n. 2009-06-29:\nCore tells the WordPress team that other administrative PHP modules can\nalso be rendered by non-administrative users, such as module\n'admin-post.php' and 'link-parse-opml.php'.\n\n. 2009-07-02:\nWordPress team comments that 'admin.php' and 'admin-post.php' are\nintentionally open and plugins can choose to hook either privileged or\nunprivileged actions. They also comment that unprivileged access to\n'link-parse-opml.php' is benign but having this file open is bad form.\n\n. 2009-07-02:\nCore sends the WordPress team a new draft of the advisory and comments\nthat there is no capability specified in Worpress documentation for\nconfiguring plugins. Also control of actions registered by plugins is\nnot enforced. Core also notices that the privileges unchecked bug in\n'admin.php?page=' is fixed on WordPress 2.8.1-beta2 latest development\nrelease.\n\n. 2009-07-06:\nCore requests WordPress confirmation of the release date of WordPress\n2.8.1 and WordPress MU 2.8.\n\n. 2009-07-07:\nWordPress team confirms that a release candidate of WordPress 2.8.1 is\nmade available to users and that the advisory may be published.\n\n. 2009-07-06:\nCore requests WordPress confirmation of the release date of WordPress MU\nand WordPress MU new version numbers.\n\n. 2009-07-07:\nWordPress team release WordPress 2.8.1 RC1 to its users.\n\n. 2009-07-08:\nWordPress team confirms that WordPress MU 2.8.1 will be made available\nas soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.\n\n. 2009-07-08:\nThe advisory CORE-2009-0515 is published.\n\n\n\n10. *References*\n\n[1] WordPress vulnerabilities in CVE database\nhttp://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress\n[2] SecuriTeam List of WordPress Vulnerabilities\nhttp://www.securiteam.com/products/W/Wordpress.html\n[3] WordPress Vulnerability - YBO Interactive Blog\nhttp://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/\n[4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1\nhttp://wordpress.org/support/topic/280748\n[5] Security breach - xkcd blog\nhttp://blag.xkcd.com/2009/06/18/security-breach/\n[6] securityvulns.com WordPress vulnerabilities digest in English\nhttp://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded\n[7] CVE-2008-0196\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196\n[8] WordPress Roles and Capabilities\nhttp://codex.wordpress.org/Roles_and_Capabilities\n[9] WordPress Download Counter\nhttp://wordpress.org/download/counter/\n[10] WordPress Intrusion Detection System Plugin\nhttp://php-ids.org/2008/02/21/wpids-version-012-released/\n[11] Hardening WordPress with htaccess\nhttp://blogsecurity.net/wordpress/article-210607\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.6 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N\nTPRpR0Gn0WqmF8HOeDslbA8=\n=zEDK\n-----END PGP SIGNATURE-----\n\n# milw0rm.com [2009-07-10]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debian": [{"lastseen": "2020-08-12T00:57:06", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4769", "CVE-2009-2851", "CVE-2009-2334", "CVE-2008-6762", "CVE-2008-6767", "CVE-2008-4796", "CVE-2008-4106", "CVE-2009-2853", "CVE-2008-5113", "CVE-2008-1502", "CVE-2009-2854"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1871-2 security@debian.org\nhttp://www.debian.org/security/ Steffen Joeris\nAugust 27, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\n\nPackage : wordpress \nVulnerability : several vulnerabilities \nProblem type : remote \nDebian-specific: no \nCVE IDs : CVE-2008-6762 CVE-2008-6767 CVE-2009-2334 CVE-2009-2854\n CVE-2009-2851 CVE-2009-2853 CVE-2008-1502 CVE-2008-4106\n CVE-2008-4769 CVE-2008-4796 CVE-2008-5113 \nDebian Bugs : 531736 536724 504243 500115 504234 504771 \n\n\nThe previous wordpress update introduced a regression when fixing\nCVE-2008-4769 due to a function that was not backported with the patch.\nPlease note that this regression only affects the oldstable distribution\n(etch). For reference the original advisory text follows.\n\n\nSeveral vulnerabilities have been discovered in wordpress, weblog\nmanager. The Common Vulnerabilities and Exposures project identifies the\nfollowing problems: \n\nCVE-2008-6762\n\nIt was discovered that wordpress is prone to an open redirect \nvulnerability which allows remote attackers to conduct phishing atacks.\n\nCVE-2008-6767\n\nIt was discovered that remote attackers had the ability to trigger an\napplication upgrade, which could lead to a denial of service attack. \n\nCVE-2009-2334\n\nIt was discovered that wordpress lacks authentication checks in the \nplugin configuration, which might leak sensitive information. \n\nCVE-2009-2854\n\nIt was discovered that wordpress lacks authentication checks in various\nactions, thus allowing remote attackers to produce unauthorised edits or\nadditions. \n\nCVE-2009-2851\n\nIt was discovered that the administrator interface is prone to a\ncross-site scripting attack. \n\nCVE-2009-2853\n\nIt was discovered that remote attackers can gain privileges via certain\ndirect requests. \n\nCVE-2008-1502\n\nIt was discovered that the _bad_protocol_once function in KSES, as used\nby wordpress, allows remote attackers to perform cross-site scripting \nattacks. \n\nCVE-2008-4106\n\nIt was discovered that wordpress lacks certain checks around user\ninformation, which could be used by attackers to change the password of\na user. \n\nCVE-2008-4769\n\nIt was discovered that the get_category_template function is prone to a\ndirectory traversal vulnerability, which could lead to the execution of\narbitrary code. \n\nCVE-2008-4796\n\nIt was discovered that the _httpsrequest function in the embedded snoopy\nversion is prone to the execution of arbitrary commands via shell \nmetacharacters in https URLs. \n\nCVE-2008-5113\n\nIt was discovered that wordpress relies on the REQUEST superglobal array\nin certain dangerous situations, which makes it easier to perform \nattacks via crafted cookies. \n\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.5.1-11+lenny1. \n\nFor the oldstable distribution (etch), these problems have been fixed in\nversion 2.0.10-1etch5. \n\nFor the testing distribution (squeeze) and the unstable distribution\n(sid), these problems have been fixed in version 2.8.3-1. \n\n\nWe recommend that you upgrade your wordpress packages.\n\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (oldstable)\n- ------------------\n\nOldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch5.dsc\n Size/MD5 checksum: 607 303f4e7e168c04dddd64ae2b7300337e\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz\n Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch5.diff.gz\n Size/MD5 checksum: 51120 9dcee118356aa6950bd4b994b6c11def\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch5_all.deb\n Size/MD5 checksum: 521174 18a19046fd5707ea64745818a5a673f6\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 8, "modified": "2009-08-27T01:39:16", "published": "2009-08-27T01:39:16", "id": "DEBIAN:DSA-1871-2:31819", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00193.html", "title": "[SECURITY] [DSA 1871-2] New wordpress packages fix regression", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-12T01:00:03", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4769", "CVE-2009-2851", "CVE-2009-2334", "CVE-2008-6762", "CVE-2008-6767", "CVE-2008-4796", "CVE-2008-4106", "CVE-2009-2853", "CVE-2008-5113", "CVE-2008-1502", "CVE-2009-2854"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1871-1 security@debian.org\nhttp://www.debian.org/security/ Steffen Joeris\nAugust 23, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : wordpress \nVulnerability : several vulnerabilities \nProblem type : remote \nDebian-specific: no \nCVE IDs : CVE-2008-6762 CVE-2008-6767 CVE-2009-2334 CVE-2009-2854\n CVE-2009-2851 CVE-2009-2853 CVE-2008-1502 CVE-2008-4106\n CVE-2008-4769 CVE-2008-4796 CVE-2008-5113 \nDebian Bugs : 531736 536724 504243 500115 504234 504771 \n\n\nSeveral vulnerabilities have been discovered in wordpress, weblog\nmanager. The Common Vulnerabilities and Exposures project identifies the\nfollowing problems: \n\nCVE-2008-6762\n\nIt was discovered that wordpress is prone to an open redirect \nvulnerability which allows remote attackers to conduct phishing atacks.\n\nCVE-2008-6767\n\nIt was discovered that remote attackers had the ability to trigger an\napplication upgrade, which could lead to a denial of service attack. \n\nCVE-2009-2334\n\nIt was discovered that wordpress lacks authentication checks in the\nplugin configuration, which might leak sensitive information. \n\nCVE-2009-2854\n\nIt was discovered that wordpress lacks authentication checks in various\nactions, thus allowing remote attackers to produce unauthorised edits or\nadditions. \n\nCVE-2009-2851\n\nIt was discovered that the administrator interface is prone to a\ncross-site scripting attack. \n\nCVE-2009-2853\n\nIt was discovered that remote attackers can gain privileges via certain\ndirect requests. \n\nCVE-2008-1502\n\nIt was discovered that the _bad_protocol_once function in KSES, as used\nby wordpress, allows remote attackers to perform cross-site scripting\nattacks.\n\nCVE-2008-4106\n\nIt was discovered that wordpress lacks certain checks around user\ninformation, which could be used by attackers to change the password of\na user.\n\nCVE-2008-4769\n\nIt was discovered that the get_category_template function is prone to a\ndirectory traversal vulnerability, which could lead to the execution of\narbitrary code.\n\nCVE-2008-4796\n\nIt was discovered that the _httpsrequest function in the embedded snoopy\nversion is prone to the execution of arbitrary commands via shell\nmetacharacters in https URLs.\n\nCVE-2008-5113\n\nIt was discovered that wordpress relies on the REQUEST superglobal array\nin certain dangerous situations, which makes it easier to perform\nattacks via crafted cookies.\n\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.5.1-11+lenny1.\n\nFor the oldstable distribution (etch), these problems have been fixed in\nversion 2.0.10-1etch4.\n\nFor the testing distribution (squeeze) and the unstable distribution\n(sid), these problems have been fixed in version 2.8.3-1.\n\n\nWe recommend that you upgrade your wordpress packages.\n\n\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (oldstable)\n- ------------------\n\nOldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch4.diff.gz\n Size/MD5 checksum: 50984 45349b0822fc376b8cfef51b5cec3510\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz\n Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch4.dsc\n Size/MD5 checksum: 607 d9389cbc71eee6f08b15762a97c9d537\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch4_all.deb\n Size/MD5 checksum: 521060 71a6aea482d0e7afb9c82701bef336e9\n\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.5.1-11+lenny1.dsc\n Size/MD5 checksum: 1051 46d9daad717f36918e2709757523f6eb\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.5.1.orig.tar.gz\n Size/MD5 checksum: 1181886 b1a40387006e54dcbd963d0cb5da0df4\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.5.1-11+lenny1.diff.gz\n Size/MD5 checksum: 702119 07658ad36bed8829f58b1b6223eac294\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.5.1-11+lenny1_all.deb\n Size/MD5 checksum: 1029028 2d30e38e22761f87e23d2c85120bb1ff\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 8, "modified": "2009-08-23T03:41:31", "published": "2009-08-23T03:41:31", "id": "DEBIAN:DSA-1871-1:82465", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00188.html", "title": "[SECURITY] [DSA 1871-1] New wordpress packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}