After installing “[SECURITY] [DSA 1871-1] New wordpress packages fix several vulnerabilities” from 23. of August 2009, I quickly saw that there was something wrong in the logs:
PHP Fatal error: Call to undefined function absint() in /usr/share/wordpress/wp-includes/functions.php on line 2008.
I looked over the DSA, and identified the fix for CVE-2008-4769 that broke this. Then I emailed Steffen Joeris, who released the DSA and notified him about my findings. Two hours later, Giuseppe Iuculano sent me an update which I installed and confirmed worked, and which I could not find any regressions to it.
I looked at the CVE-2008-4769 and at the Secunia advisory, which claims that the vulnerability is only working on Windows platform. This probably explains why Debian has waited so long for including the fix. The original CVE is from 2008-04-25, so this is old news btw…
“It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks. Successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.”
I have only registered generic attacks in the wild against the ‘cat’ parameter in my gamelinux.org and other web logs (dating back to Dec 2006). No requests seems to aim at exploiting this vulnerability specifically.
An example of an URL that was supposed to work (Not confirmed):
The DSA regression was released 4 days after the original DSA BTW.