Host Injection Vulnerability | ww.wp.xz.cn

Resolved Brian – TGL
(@w411)

8 years, 12 months ago

I haven’t been able to find any reference to this vulnerability being patched:

https://wpvulndb.com/vulnerabilities/8807

Has anyone seen an update?

Viewing 3 replies - 1 through 3 (of 3 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

8 years, 12 months ago
That’s not really a WordPress issue, more like a patch in WordPress would address a host configuration problem with the web server.

See the remediation section here.

http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html

Which really goes here for a httpd.conf option.

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

Mind you, on my nginx web server this isn’t a problem.
- This reply was modified 8 years, 12 months ago by Jan Dembowski. Reason: Fixing silly typo
Thread Starter Brian – TGL
(@w411)

8 years, 12 months ago

There are two parts to that remediation section, the first offers a server solution to use the canonical name, but the second is WP could use home or siteurl instead of SERVER_NAME to solve it for every install regardless of server flavour.

If looking up the SERVER_NAME/host is the vulnerability in both instances wouldn’t it make sense to instead use the configured value, or is there some benefit at the WP end to using SERVER_NAME in wp-includes/pluggable.php?

Moderator Samuel Wood (Otto)
(@otto42)

ww.wp.xz.cn Admin

8 years, 12 months ago

There is a public ticket about this issue which you can follow here:

https://core.trac.ww.wp.xz.cn/ticket/25239

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Host Injection Vulnerability’ is closed to new replies.

In: Everything else WordPress
3 replies
3 participants
Last reply from: Samuel Wood (Otto)
Last activity: 8 years, 12 months ago
Status: resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics