mailing list archives
Re: CVE request: WordPress 3.5.1 Maintenance and Security Release
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 26 Jan 2013 00:19:00 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 01/25/2013 02:13 AM, Henri Salo wrote:
WordPress 3.5.1 also addresses the following security issues:
Can I get confirmation on details of these issues so I can properly
assign CVEs? Thanks!
- A server-side request forgery vulnerability and remote port
scanning using pingbacks. This vulnerability, which could
potentially be used to expose information and compromise a site,
affects all previous WordPress versions. This was fixed by the
WordPress security team. We’d like to thank security researchers
Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
Basically it applies filters to pingbacks, things like:
return new IXR_Error(33, __('The specified target URL cannot be used
as a target. It either doesn't exist, or it is not a pingback-enabled
resource.')); so I was largely abl to confirm this one.
- Two instances of cross-site scripting via shortcodes and post
content. These issues were discovered by Jon Cave of the WordPress
I found one instance of esc_attr() to esc_url() on a url used in
embedded media, I'm guessing this is the XSS mentioned in the
description as "post content"?
wp-35/wp-includes/js/media-editor.min.js. It looks like this might
need two CVEs if they are widely different.
- A cross-site scripting vulnerability in the external library
Plupload. Thanks to the Moxiecode team for working with us on this,
and for releasing Plupload 1.5.5 to address this issue.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
-----END PGP SIGNATURE-----