Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 235015 (CVE-2007-1732) - CVE-2007-1732: wordpress mt import XSS
Summary: CVE-2007-1732: wordpress mt import XSS
Alias: CVE-2007-1732
Product: Fedora
Classification: Fedora
Component: wordpress
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: John Berninger
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-03 11:08 UTC by Ville Skyttä
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-08 22:22:50 UTC

Attachments (Terms of Use)

Description Ville Skyttä 2007-04-03 11:08:02 UTC

"** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in
wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators
to inject arbitrary web script or HTML via the demo parameter. NOTE: the
provenance of this information is unknown; the details are obtained solely from
third party information. NOTE: another researcher disputes this issue, stating
that this is legitimate functionality for administrators. However, it has been
patched by at least one vendor."

Posted for maintainer assessment whether this is a feature or a bug, and whether
it affects current FE releases.  FWIW, Gentoo has patched it.

Comment 1 John Berninger 2007-04-08 22:22:50 UTC
This looks to me like a valid feature - it requires authentication and willing
interaction on the part of the authenticated individual to exploit.  I can't
really call someone who knowingly and willingly uses such a feature a "victim".
 Although I can see where some would consider this a bug, I don't.  If someone
can point out a scheme whereby this would be a problem, I'm willing to be
convinced otherwise, but until then, CLOSED-NOTABUG

Comment 2 Ville Skyttä 2007-04-09 08:23:51 UTC
Just some general data points for consideration, I'm not necessarily disagreeing
with comment 1:

Missing/ineffective cross site request forgery preventation measures would
invalidate the "knowing/willing" assumption.  But if I understand correctly,
Wordpress's admin UI has that protection.

Requiring authentication and willing interaction doesn't IMO make this a feature
if the goal was not to provide a possibility for injection of arbitrary markup
or scripts; it just affects the attack vectors.

Note You need to log in before you can comment on or make changes to this bug.