Package: wordpress Version: 2.8.4-2 Severity: important
The fix for bug 500295 is too restrictive. It disables a completely reasonable way of configuring wordpress. Using symlinks is probably the only way of allowing trusted users to manage their wordpress configuration without having to be root (other than to create the symlink). We use this type of configuration, given that we have users that we trust. The proposed additional solution of adding a list of directories that can contain configuration files is messy - there must be a better solution! One problem with the fix is that the nature of the possible attack isn't actually explained in the bug. Can someone please explain it? Then we could help to try and find a better solution. Does the attack involved having special characters/substrings like '/' and ".." in HTTP_HOST, which then possibly allows them to run code in files in the uploads area? If so, why not just disallow '/' in HTTP_HOST? That would seem to be a simpler and less restrictive fix... There must be a fix that doesn't impose the restrictions that realpath() imples... Note, we haven't yet installed version 2.8.4-2 because we'd like to make sure we have a workaround/solution that allows us to have users manage their own configurations and minimise the amount of root access they require. peace & happiness, martin -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages wordpress depends on: ii apache2 2.2.13-2 Apache HTTP Server metapackage ii apache2-mpm-prefork [h 2.2.13-2 Apache HTTP Server - traditional n ii libapache2-mod-php5 5.2.10.dfsg.1-2.2 server-side, HTML-embedded scripti ii libjs-jquery 1.3.3-2 JavaScript library for dynamic web ii libjs-prototype 1.6.1-1 JavaScript Framework for dynamic w ii libjs-scriptaculous 1.8.2-2 JavaScript library for dynamic web ii libphp-phpmailer 2.1-1 full featured email transfer class ii libphp-snoopy 1.2.4-1 Snoopy is a PHP class that simulat ii mysql-client-5.0 [virt 5.0.51a-24+lenny2 MySQL database client binaries ii php5 5.2.10.dfsg.1-2.2 server-side, HTML-embedded scripti ii php5-gd 5.2.10.dfsg.1-2.2 GD module for php5 ii php5-mysql 5.2.10.dfsg.1-2.2 MySQL module for php5 ii tinymce 3.2.6-1 platform independent web based Jav wordpress recommends no packages. Versions of packages wordpress suggests: hi mysql-server-5.0 [virt 5.0.51a-24+lenny1 MySQL database server binaries -- no debconf information -- debsums errors found: debsums: changed file /usr/share/wordpress/wp-includes/pluggable.php (from wordpress package) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
