WordPress.org

Support

Support » Requests and Feedback » 2.0.7 security vulnerability – patch soon?

2.0.7 security vulnerability – patch soon?

  • I received a report that 2.0.7 has a security vulnerability. 2.1 is fixed but requires MySQL 4 which is not available for all the WP sites I need to upgrade. Is there going to be a 2.0.8 patch release soon?

    Advisory: Multiple Remote Vulnerabilities in WordPress
    Advisory ID: 4tphi-sa-20070111-wordpress
    Release Date: 01-24-2007
    Author: Blake Matheny (bmatheny@mobocracy.net)
    Software: WordPress < 2.1
    Impact: Remote & Local DoS, File Disclosure

    Overview:
    Multiple vulnerabilities exist in the XMLRPC and Pingback
    implementation that are included with WordPress. Note that some issues discovered with Pingback affect other vendors as well.

Viewing 15 replies - 1 through 15 (of 16 total)
  • Moderator Samuel Wood (Otto)

    @otto42

    WordPress.org Tech Dude

    It looks like it’s a simple patch, you could probably do it yourself.

    More info and the patch details are here:
    http://www.securityfocus.com/archive/1/458003/30/30/threaded

    Thanks Otto42! Sorry to be daft, but I’m a little less comfortable on the command line than I am with an IDE. How is this patch applied? Does the PLUS sign indicate lines of code that are added? It looks like there is no code removed, just added, correct?

    function wp_remote_fopen( $uri ) {
    + $timeout = 10;
    + $parsed_url = @parse_url($uri);
    + if ( !$parsed_url || !is_array($parsed_url) )
    + {
    + return false;
    + }
    + if ( !isset($parsed_url['scheme']) ||
    + !in_array($parsed['scheme'], array('http','https')) )
    + {
    + $uri = 'http://' . $uri;
    + }
    if ( ini_get('allow_url_fopen') ) {
    $fp = @fopen( $uri, 'r' );
    if ( !$fp )
    return false;
    + stream_set_timeout($fp, $timeout);
    $linea = '';
    while( $remote_read = fread($fp, 4096) )
    $linea .= $remote_read;
    @@ -2200,8 +2212,11 @@
    curl_setopt ($handle, CURLOPT_URL, $uri);
    curl_setopt ($handle, CURLOPT_CONNECTTIMEOUT, 1);
    curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1);
    + curl_setopt ($handle, CURLOPT_TIMEOUT, $timeout);
    $buffer = curl_exec($handle);
    curl_close($handle);
    + if ( !preg_match('/.*text/.*/', curl_getinfo($handle, CURLINFO_CONTENT_TYPE)) )
    + return '';
    return $buffer;
    } else {
    return false;

    Moderator Samuel Wood (Otto)

    @otto42

    WordPress.org Tech Dude

    Yes, the + indicates adding a new line of code.

    The bit where it says @@ -2200,8 +2212,11 @@ means that you should skip ahead to line 2200 (in the original file) or line 2212 (in the new file) to continue adding your lines and such.

    The lines with no + or – or ! in front of them are unchanged, and just given as reference points.

    An easier way would be to use the command line program called “patch” which can read that format and do the work for you.

    Thanks for your help! Patching on the command line turned out to be a snap. For those who remain less adventurous, I have posted the patched functions.php file for download here:
    http://www.stevensmedia.com/blog/?p=115

    I tried applying the patch that solutionsphp was kind enough to provide and I get this error when I attempt to either edit a page or post or access the Links Manager:


    Fatal error: Call to undefined function: attribute_escape() in /home/pixelit/public_html/wp-includes/functions.php on line 2380

    I’m not about to subject myself to further grief by upgrading to WP 2.1 while it’s still in the state it’s in.

    Any other solutions?

    attribute_escape() was introduced in 2.0.6, are you not upgraded to atleast 2.0.6?

    Indeed you are not if the site in your profile is any indication.

    >>I’m not about to subject myself to further grief by upgrading to WP 2.1 while it’s still in the state it’s in.

    then upgrade to 2.0.7

    follow the standard upgrade procedure to go from 2.0.4 > 2.0.6 then upload the couple new files that make up 2.0.7, then make the neccessary changes for that little hole.

    piece of cake 🙂

    Yes, but the SecurityFocus article linked to above references this:

    Software: WordPress < 2.1

    I am running 2.0.7. THIS is what I did.

    I took the same function that exists within 2.1 (ITS FIXED) and replaced the old fucntion. It works fine.

    YOU DO NOT NEED TO RUN 2.1 TO FIX THAT HOLE.

    This is the fucnction taken right out of 2.1, and it works perfectly within 2.0.7:


    function wp_remote_fopen( $uri ) {
    $timeout = 10;
    $parsed_url = @parse_url($uri);
    if ( !$parsed_url || !is_array($parsed_url) )
    return false;
    if ( !isset($parsed_url['scheme']) || !in_array($parsed_url['scheme'], array('http','https')) )
    $uri = 'http://' . $uri;
    if ( ini_get('allow_url_fopen') ) {
    $fp = @fopen( $uri, 'r' );
    if ( !$fp )
    return false;
    stream_set_timeout($fp, $timeout); // Requires php 4.3
    $linea = '';
    while( $remote_read = fread($fp, 4096) )
    $linea .= $remote_read;
    fclose($fp);
    return $linea;
    } else if ( function_exists('curl_init') ) {
    $handle = curl_init();
    curl_setopt ($handle, CURLOPT_URL, $uri);
    curl_setopt ($handle, CURLOPT_CONNECTTIMEOUT, 1);
    curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($handle, CURLOPT_TIMEOUT, $timeout);
    $buffer = curl_exec($handle);
    curl_close($handle);
    return $buffer;
    } else {
    return false;
    }
    }

    Its just fixed, it doesnt use any special additons from 2.1 and it would be nice if ppl gave decent advice instead of “working” to get ppl to upgrade to something they dont need to.

    Im not neccessarily talking about you diane, btw, about the “working” thing, I just think ppl dont realize that they dont have to run that blasted bug ridden 2.1

    Hm. I’m getting “error establishing a database connection” at the stevensmedia link.

    So … what? Is this just a matter of adding the SecurityFocus code to functions.php?

    Sorry about the downtime… my host was doing some server maintenance and MySQL didn’t come back online properly. No rest for the wicked!

    I can’t replicate the errors that jonimueller is experiencing… when you upgraded to 2.0.7 did you *delete* files from the server or overwrite them? Overwriting doesn’t always work in my experience.

    I upgraded my various WP sites (running anything from 2.0.1 to 2.0.5) to 2.0.7 in one fell swoop (as a matter of practice I backup the *.sql file, disable the plugins and nuke the /wp-includes and /wp-admin folders and all *.php files except wp-config.php before uploading upgrade files).

    Once that was done and working fine, I then applied the patched functions.php file as kindly provided above and all is well. Thanks everyone.

    J

    Yay, glad to hear it’s working for you! Thanks for reporting back.

    >>I’m not about to subject myself to further grief by upgrading to WP 2.1 while it’s still in the state it’s in.

    I tried 2.1, too. Very slow in the post editor and switching between visual and code tabs very slow, code does not show some tags. In short, I prefer 2.0.5 (sorry to criticize… I do appreciate the hard work, but I’ll wait for a few 2.1 releases).

    >>then upgrade to 2.0.7

    >>follow the standard upgrade procedure to go from 2.0.4 > >>2.0.6 then upload the couple new files that make up >>2.0.7, then make the neccessary changes for that little >>hole.

    I’d like to wait for the 2.0.7 fix in the stable release of 2.0.8 (now RC1); will I need to upgrade to 2.0.6, then 2.0.7, then 2.0.8? I was thinking I could just upgrade from 5 to 8, but is that wrong?

    Or would you guys recommend not waiting for 2.0.8?

    Thanks!!!

    Most likekly you’ll be able to go from 2.0.5 to 2.0.8… at least that was the case with the other minor upgrades (2.0.x -> to 2.0.7)

    “Most likely”? I was assuming so too, but I can’t find anything in the forum to confirm it and the posts in this topic give me doubts. Can you confirm it? Thanks!!!

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘2.0.7 security vulnerability – patch soon?’ is closed to new replies.