WordPress 2.0.x /2.2.x security issues

Several issues affecting the security of WordPress 2.2.x were recently posted to another web site. I have omitted a link to that site because the site owner suggests that users ought to a use a 'friendly' worm to patch their files. I don't and will not ever recommend that a webmaster allow any third party untrusted site access to their files. That said, the issues raised are legitimate.

I purposefully leave 2.1.x versions of WordPress out of my WordPress posts — but be aware that some of these issues undoubtedly exist in that version as well.

Fixing the issues requires more than a few file edits, so I have provided the edits where they are simple and also provided links to the SVN copies if you would rather not make edits and prefer to just upload the newly changed files.

Additionally, some of the same issues affect WordPress 2.0.10+

For 2.2.x users:

The first changed file is wp-admin/admin-functions.php..

Inside the file, locate the following at Line #904:

$start = (int) $start;

That should be changed to read:

$start = abs( (int) $start );

The SVN copy of wp-admin/admin-functions.php is available here. The links are actually to the trac, but the files are identical.

A new wp-admin/upload-functions.php is available, which addresses several security concerns. You can browse or download that file here.

Inside wp-admin/edit-comments.php locate the following:

if ( isset( $_GET['apage'] ) )
$page = (int) $_GET['apage'];
else
$page = 1;

Those four lines should be changed as so:

if ( isset( $_GET['apage'] ) )
$page = abs( (int) $_GET['apage'] );
else
$page = 1;

You can browse or download the changed wp-admin/edit-comments.php on the WordPress SVN, here.

Inside wp-admin/link-import.php locate the following:

$cat_id = $_POST['cat_id'];
if ( $cat_id == '' || $cat_id == 0 )
$cat_id = 1;

The above should be changed to:

$cat_id = abs( (int) $_POST['cat_id'] );
if ( $cat_id < 1 )
$cat_id = 1;

Once again, if you would rather grab the entire file, instead of making the manual change, you can download a SVN copy of wp-admin/link-import.php here

Next, The WordPress developers have made an updated wp-includes/functions.php available that contains other security related fixes, here

And lastly, an updated wp-admin/options.php is available that fixes a security issue. You can browse and download that file here.

That should do it for WordPress 2.2.x

For 2.0.x users:

2.0.x users ought to be aware of the fact that WordPress 2.0.11 RC3 addresses several other issues that have come up in the past few months, since the release of 2.0.10.

I recommend all WordPress 2.0.x users upgrade to that release candidate and then make the following changes. It is available here.

WordPress 2.0.x users ought to access trac.wordpress.org, and download at least three files and replace the ones on their sites with these updated files.:

1. wp-admin/link-import.php

2. wp-admin/options.php

3. wp-includes/functions.php

When browsing the files on trac, you can download complete files by scrolling to the bottom of the pages, and clicking through on the link at the bottom that is identified by "Plain Text"

All done!

Good luck, stay safe, and I would be on the lookout for a new release of WP sooner rather than later.

August 2nd, 2007 · tech-talk · whoo · Comments (3)

Leave a Comment

:) :D :( :o 8) :lol: :x :P :oops: :cry: :evil: :roll: :wink: :!: :?: :| :mrgreen:

RSS feed for comments on this post.

3 Responses to “WordPress 2.0.x /2.2.x security issues”

1 On August 3rd, 2007 ¥åßßå typed :

I have omitted a link to that site because the site owner suggests that users ought to a use a 'friendly' worm to patch their files.

Hey, I got the first Weblog XSS Worm based on several new Wordpress 2.2.1 Security Vulnerabilities I found these days.

Look familiar? ;)

¥

2 On August 3rd, 2007 whoo answered:

thats off that site, isnt it? The second quote? or no?

3 On August 3rd, 2007 ¥åßßå typed :

Nah, that was from some comment spam that the dicks been throwing round the web about his new wonder worm ;)

¥