In association with heise online

27 June 2007, 10:50

Three holes closed in WordPress

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Version 2.2.1 of the popular WordPress blog system not only fixes a number of simple bugs, but also closes three security holes. First, WordPress uses the PHPMailer class to send e-mails via sendmail or PHP's mail(). Unfortunately, PHPMailer in 1.7.3 contains a vulnerability that allows specially crafted parameters including metacharacters in the sender property (which normally contains the address of the sender of the message) to be used to send commands to the shell and have them executed. The problem is caused by failure to properly sanitise user-supplied input passed to the Sender property before it is passed to a popen() call.

For the hole to be exploited under WordPress, however, PHPMailer has to use sendmail to send the e-mails. PHP's safe mode can also be switched on to prevent the hole from being exploited. In addition to the bug in WordPress, the discoverer of the hole says that various other PHP applications also use PHPMailer, including Mantis, WebCalendar, Group-Office and Joomla and could therefore be vulnerable.

Additionally, a SQL injection hole in WordPress which allowed unauthorized access to the underlying database has now officially been remedied. Until now, the update was only available in developer repositories.

Finally, the developers have remedied a cross-site-scripting problem (XSS) in WordPress's default theme. Previous versions of WordPress also had trouble with XSS in themes. In the official announcement, the fourth vulnerability that version 2.2.1 reportedly also remedies is not mentioned. Apparently, it can be exploited to get around a number of security restrictions in order to upload files.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit