![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
WP-Super-Cache XSS and Remote Code Exec
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 24 Apr 2013 12:30:57 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there any way to get the WordPress community involved in actually handling security issues properly? E.g. requesting CVE's, or heck, I'll settle for being notified via email directly. I found out about this stuff on Reddit (linked to Tony Perez's blog posting) so I read the code and voila: =============================================================== WP-Super-Cache XSS 1.3 Fixed in 1.3.1 with code changes like: - -<form name="wp_manager" action="<?php echo $_SERVER[ "REQUEST_URI" ]; ?>" method="post"> +<form name="wp_manager" action="" method="post"> Please use CVE-2013-2008 for this issue. =============================================================== WP-Super-Cache 1.2 Remote Code Execution Fixed in 1.3: +2013-04-11 10:39 donncha + + * wp-cache.php: Remove mfunc, mclude and dynamic-cached-content + tags from comments. Props Frank Goossen + (http://blog.futtta.be/2013/04/10/wp-safer-cache-stopgap-for-wordpress-cache-plugins-vulnerability/) + and kisscsaby + (http://wordpress.org/support/topic/pwn3d?replies=6) http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html To test leave a comment like: <!?mfunc echo PHP_VERSION; ?><!?/mfunc?> To fix it they added a mfunc filter in wp-super-cache-1.3/wp-cache.php: +add_filter( 'preprocess_comment','no_mfunc_in_comments' ); +add_filter( 'comment_text','no_mfunc_in_comments' ); +add_filter( 'comment_excerpt','no_mfunc_in_comments' ); +add_filter( 'comment_text_rss','no_mfunc_in_comments' ); Please use CVE-2013-2009 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJReCTgAAoJEBYNRVNeJnmT/GsQALYk6SgqA/WmmXXCSoOxlwgV zn1S47llVum5CPC7G90jH0+bOt7MfYx2vApxsd0IjWAgOfyPdx7Du51MQOoOglnG rWbKTzxQ2w0d23r9PHbr+ydKueqoROzulPTsuGgwzyAh1F2Z3UALTZ+Rx/7jIgOG LVgi3jpSFEM4vsjwTKXvZ5dDAb6qwpPPXgY6zwB+6fVbxTMXfU8wpdCrrUoBA58F /HualHi5RjNgl4ayk/7CVLIVPtOpYIavotZu7zZWYvU/9Ib8zZyVnK7lxW4kCOs/ 5UqqXaoaR00Dyb05T87ygIh4mD0SpTuq6hXQxbrALz9muoEeQZSDrNEbqyemhluz LAoS0giVdjKcIg6sBR8DCbcrRNR61rWCFN7B3qJoi2o+hhnjO7Kd3bgELEWJ31Vk e5uOrARoEGuUnb08p49g3MTMaQWhyTHK+pMsciy5XPResYwS2SrAm/M92HRxW1H/ Q5nI8x4AZdg5XRFwYDw1p9RPyr1C9pODz/qzedOIoibGy/mh9+DlQjq0EheEM/9X lXnNQosF9hj+OoUdS19rnEMVPqpdZDuuVlhiWXrVh9/9MSbKqUl2aPVj9EbQCOUJ 6OKQTvGN5xgIn3bVf++R1fGVNxaQWbQ/qIg72ex6oOPuDKzs3pt3JJYPnWPK2EKl IaeZazUMlSVb0nb9iSiQ =qtlM -----END PGP SIGNATURE-----
Current thread:
- WP-Super-Cache XSS and Remote Code Exec Kurt Seifried (Apr 24)
- Re: WP-Super-Cache XSS and Remote Code Exec Kurt Seifried (Apr 24)
- Re: WP-Super-Cache XSS and Remote Code Exec Henri Salo (Apr 24)
- Re: WP-Super-Cache XSS and Remote Code Exec Henri Salo (Apr 24)
- Re: WP-Super-Cache XSS and Remote Code Exec Hanno Böck (Apr 24)
- Re: WP-Super-Cache XSS and Remote Code Exec Kurt Seifried (Apr 24)