Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: WordPress 3.5.1 Maintenance and Security Release
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 28 Jan 2013 23:50:26 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/26/2013 01:13 PM, Andrew Nacin wrote:
On Sat, Jan 26, 2013 at 2:19 AM, Kurt Seifried
<kseifried () redhat com> wrote:

- A server-side request forgery vulnerability and remote port 
scanning using pingbacks. This vulnerability, which could 
potentially be used to expose information and compromise a
site, affects all previous WordPress versions. This was fixed
by the WordPress security team. We’d like to thank security
researchers Gennady Kovshenin and Ryan Dewhurst for reviewing
our work.

Basically it applies filters to pingbacks, things like:

return new IXR_Error(33, __('The specified target URL cannot be
used as a target. It either doesn't exist, or it is not a
pingback-enabled resource.')); so I was largely abl to confirm
this one.


The primary fix is to better validate a URL before triggering an
HTTP request to it. You can see this with the filter and function 
pingback_ping_source_uri in
http://core.trac.wordpress.org/changeset/23330. It blocks
credentials, odd ports, RFC1918 IPs, etc. Turning the error 
messages into generic errors was an additional defensive measure
but due to the other fixes, does not address a particular
vulnerability.

What these fixes target have already been written about publicly: 
http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/


http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

Please use CVE-2013-0235 for this issue

- Two instances of cross-site scripting via shortcodes and post
content. These issues were discovered by Jon Cave of the
WordPress security team.


I found one instance of esc_attr() to esc_url() on a url used in
embedded media, I'm guessing this is the XSS mentioned in the 
description as "post content"?


That was one — http://core.trac.wordpress.org/changeset/23322. The
other was http://core.trac.wordpress.org/changeset/23317, which
serves to fully validate HTML tags passed to a shortcode and reject
exploitative values.

All I'm seeing for shortcodes related junk is in a big JavaScript
blob
wp-35/wp-includes/js/media-editor.min.js. It looks like this
might need two CVEs if they are widely different.


The changes in media-editor.min.js are bug fixes and not related
to security. They may be seen in uncompressed form here: 
http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.5%2Fwp-includes%2Fjs%2Fmedia-editor.js&new_path=%2Ftags%2F3.5.1%2Fwp-includes%2Fjs%2Fmedia-editor.js

Same

vuln type (XSS), same researcher, same version, CVE MERGE. Please
use CVE-2013-0236 for this issue.

- A cross-site scripting vulnerability in the external library
Plupload. Thanks to the Moxiecode team for working with us on
this, and for releasing Plupload 1.5.5 to address this issue.


The diff for plupload is a mess of JavaScript/binary files so I
can't confirm much.


The security fix was specific to the Flash binary. Here is the
upstream commit:
https://github.com/moxiecode/plupload/commit/2d746ee. Exploit 
occurs with uplupload.flash.js?id=XSS, using the attack described
here: 
http://lcamtuf.blogspot.se/2011/03/other-reason-to-beware-of.html.

Please use CVE-2013-0237 for this issue.

Regards, Andrew Nacin

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRB3EyAAoJEBYNRVNeJnmTqWUP/RTp5hvRrBl56eCE0CAHCalj
jmc3+mPM+5uRb4tFgTTRnhh0Sww1m6eE+s02CZ0lNvrC70VNBr89+Nz4xuyyZfpI
SVdHhz42veUGUk9nhubGjSNpitdDR+IA4szb33nxDV2q+NGaqz6n2mQ5/zKjWZEf
9HtDEMK3JtjciE1YEyWiqJBLWpp+KjiLXElKjTRYEGRTPDaFtc1eD6xzgKUGjGls
SJRYRR1v7Z1d8JY08dN/Q2IFIhyoZnAK0HaCIo/rsNwBPrSyaRnBm6rNNdM9uYl1
1Hm4beIC/SWBDS27r4yVxPptHJ7PtzwPuiLTkxlwy2TYbwgai79GTXVWUFFXbZ+i
lQzdBqdrBlL28Umf7HqCjxpzwuVWltip9HGz34jLNkPFpD0oPm50gpFoXPIPCaF9
BwT1UO5mo8d+Y5EZz7pAhZmf5e9k2yMJisM4ia3LIvuFTLUunxiXBnn0GKntJG4I
iGsyr13b5jxvuUCi+UF1/rqFlr430KfmV6Wh2+mM9PpI8myHhyjFjUf9oLx7NOB+
Sg1Vdt5spkitOOFrMxthA8hApAOgIHkhzWW44Z+SqKWEHG/7FSjIeBBFHfz7C7y0
IHqCh5kc7oISBVe2HPNN87rIifEGQ8qmv5C8EJL5Jtlxi1tUByi7zICIlgg2pn6A
JG+Y9Gcbv3baCnIdrs+6
=U00O
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault