Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 229991 (CVE-2007-1049) - CVE-2007-1049: wordpress < 2.1.1 XSS
Summary: CVE-2007-1049: wordpress < 2.1.1 XSS
Alias: CVE-2007-1049
Product: Fedora
Classification: Fedora
Component: wordpress
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: John Berninger
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-25 16:37 UTC by Ville Skyttä
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-02-27 16:12:40 UTC

Attachments (Terms of Use)

Description Ville Skyttä 2007-02-25 16:37:38 UTC

"Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in
the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before
2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web
script or HTML via the file parameter to wp-admin/templates.php, and possibly
other vectors involving the action variable."

FE5+ apparently affected.

Comment 1 John Berninger 2007-02-27 16:12:40 UTC
New packages uploaded / built

Comment 2 David Eisenstein 2007-03-03 04:07:08 UTC
Although John Beringer indicates as of 2007-02-27, new packages have
been uploaded and built for Wordpress, I am not seeing any new packages
in Extras repositories for Wordpress for FC5 nor for devel.  What's going on?

Comment 3 Jason Tibbitts 2007-03-03 04:42:19 UTC
Indeed, it seems that the new versions were tagged, but I don't see that they
were ever built.  It's probably just an oversight; I could build them myself but
at this point I think it's more prudent to wait to see if the maintainer will
chime in soon.

Comment 4 Ville Skyttä 2007-03-03 07:47:17 UTC
Which repository/mirror do you use?  I verified the existence of the builds
before marking this CVE taken care of in fedora-security/audit/fe* and they're
still there just as expected:

| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 21:41:47 GMT

| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 21:40:52 GMT

| grep '\(OK\|Last-Mod\)'
200 OK
Last-Modified: Tue, 27 Feb 2007 23:30:09 GMT

Comment 5 John Berninger 2007-03-03 13:26:51 UTC

New packages were indeed built as of 27-Feb-2007.  If a given mirror does not
have the new packages, you may wish to contact that mirror's maintainer.

Comment 6 Jason Tibbitts 2007-03-03 15:07:56 UTC
Hmm, I'm mirroring from  How odd, the binary rpm is there, but the
source rpm isn't.  Sorry for not checking deeper earlier.  WHen I saw that the
srpm wasn't there, I tried to extract info from the buildsys but of course you
can only go back a couple of days.

Comment 7 Ville Skyttä 2007-03-03 15:38:30 UTC
That kind of situation is almost certainly a mirroring issue.  The scripts used
to publish Extras repositories work so that before creating and pushing a repo
to the primary public mirror, all binary rpms for which a source rpm is not
available are removed.

Comment 8 Jason Tibbitts 2007-03-03 15:47:25 UTC
In any case, I've re-pulled my mirror and the srpm is there, so I don't know
what was up.  And in any case this is all moot since you really, really don't
want to be running 2.1.1 anyway.

Note You need to log in before you can comment on or make changes to this bug.