Debian, Information, OpenSourceSoftware, Security

[SECURITY] [DSA 1871-2] New wordpress packages fix regression

After installing “[SECURITY] [DSA 1871-1] New wordpress packages fix several vulnerabilities” from 23. of August 2009, I quickly saw that there was something wrong in the logs:
PHP Fatal error: Call to undefined function absint() in /usr/share/wordpress/wp-includes/functions.php on line 2008.

I looked over the DSA, and identified the fix for CVE-2008-4769 that broke this. Then I emailed Steffen Joeris, who released the DSA and notified him about my findings. Two hours later, Giuseppe Iuculano sent me an update which I installed and confirmed worked, and which I could not find any regressions to it.

I looked at the CVE-2008-4769 and at the Secunia advisory, which claims that the vulnerability is only working on Windows platform. This probably explains why Debian has waited so long for including the fix. The original CVE is from 2008-04-25, so this is old news btw…

From advisories:
“It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks. Successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.”

I have only registered generic attacks in the wild against the ‘cat’ parameter in my gamelinux.org and other web logs (dating back to Dec 2006). No requests seems to aim at exploiting this vulnerability specifically.
An example of an URL that was supposed to work (Not confirmed):
http://www.gamelinux.org/?cat=1.php/../searchform?

The DSA regression was released 4 days after the original DSA BTW.

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s