oss-sec mailing list archives
WP-Super-Cache 1.3.1 Remote Code Exec - properly fixed?
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 24 Apr 2013 21:48:57 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So it turns out the attempted fix for CVE-2013-2009 was incomplete. To quote reddit: "Erm, you forgot about escaping markdown metachars. Here, the fixed version, edit it in: \*\^_\^\*" http://www.reddit.com/r/netsec/comments/1czzyx/update_wp_super_cache_and_w3tc_immediately_remote/c9lvxn8 And to quote the WP-Super-Cache 1.3.2 ChangeLog: += 1.3.2 = +* Any mfunc/mclude/dynamic-cached-content tags in comments are now removed. So please use CVE-2013-2011 for this issue. NOTE: this issue exists because of an incomplete fix for CVE-2013-2009. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJReKepAAoJEBYNRVNeJnmTujUQANF2fv8z1ewjFXCHDkippSn1 SYpl4pXTWuL5CL/RIL6zbIlhMx6KJMTkC8vJKFKA0OZ7MLn2nJyBvg1DqXUVcI4d XvyPQHe53bqjlA6XMD2ldvN4Va3rYAmPQLOlLFJq2tY4VVaa2jW+iEpoTEdXDfwC XtkluA33f8vVJE97uwAgMWbh/TQ8dBxESPUEgxgusuQAGNWa5g1T/2ydHYjElb4X YH0yIaMh24Ygl9R5UQ8Fs6U5wttHKLYl1bkKCg1RpRgqiQwRc7Zu15hvIHprtOeO syKp+R0Xaubv82hZKvMs6SphhNL5u8EOkTVh5iov5BJG4oGj2ZmuaUYXcvn/FTS8 pIhzEKr1nnmQ56xxrMa91fQdbprEb7JmPtSdl4lyTUZOFn+iLVbP+6mmVZW/lodT zOWeiy1lgx+dVBDijvYpaYh7iZuuK+MmtWMkPio3KPQtKnmSRpqpSFxTIdTadNj2 CB5G0Oy0UT68n7eDrWWYZZR39pCbfwD6WC31MD9QVINHyIqXlBPPlcOKeeDjbGRZ OBjR91PHbv/DjVdUQjApgLjP46/9/YfnnVobO8IhYIttauxkMitVcmFhbdtAMYiU xKU47/aoBH8oXAzWiGMLLCAgPMNhVgTBFvUwzqmTDdbgZ6waLr2n9fr2qw333CXN H5gUmctO2sllcgD1OYb6 =I8Sy -----END PGP SIGNATURE-----
Current thread:
- WP-Super-Cache 1.3.1 Remote Code Exec - properly fixed? Kurt Seifried (Apr 24)