oss-sec mailing list archives
RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws
From: "Christey, Steven M." <coley () mitre org>
Date: Thu, 18 Jul 2013 21:10:15 +0000
Kurt etc. - no CVE REJECT decisions yet, please. We might be dealing with a CVE *triplicate*. There have been a lot of disclosures about swfupload.swf lately with... ummm... mixed levels of detail and varying levels of researcher skill and diligence. For example, the movieName parameter vector was given CVE-2012-3414 by Kurt in July of 2012, for an April 2012 disclosure - https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/ (assignment is in http://www.openwall.com/lists/oss-security/2012/07/17/12 but is listed for the "libjs-swfupload" package). The CVE-2013-4145 that Kurt just assigned also involves the movieName vector. Since swfupload.swf is apparently widely used, researchers may be finding the same issue over and over again in different packages, and presenting them as if they are new. Yet there might be some attack variants buried in there, too. Because of the amount of attention by researchers who don't check whether an issue has already been disclosed, and/or the number of independent products that use this library, any "new" swfupload.swf issues should be regarded with extreme suspicion while CVE tries to iron out all the existing duplicates. Andrew Nacin said:
CVE-2013-4145 (XSS) is actually CVE-2012-2399.
CVE-2012-2399's only public details are that it's an unspecified vulnerability in Wordpress before 3.3.2, yet http://wordpress.org/news/2012/04/wordpress-3-3-2/ is pretty vague and mentions multiple products (although it does credit Neal Poole for at least one issue). That said, a statement by a lead developer of Wordpress is important for this clarification ;-) Andrew, can you confirm for sure that CVE-2012-2399 is *also* the same as CVE-2012-3414 for Neal Poole's movieName vector? - Steve
-----Original Message----- From: andrewnacin () gmail com [mailto:andrewnacin () gmail com] On Behalf Of Andrew Nacin Sent: Thursday, July 18, 2013 4:37 PM To: Kurt Seifried Cc: Open Source Security; Jay Turla; nacin () wordpress org Subject: [oss-security] Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws On Thu, Jul 18, 2013 at 4:25 PM, Kurt Seifried <kseifried () redhat com> wrote:This was brought to my attention by Jay Turla <shipcodez () gmail com>, after some searching I found: http://bot24.blogspot.ca/2013/04/swfupload-object-injectioncsrf.html and after testing (it works). So please use: CVE-2013-4144 swfupload KedAns-Dz object injection CVE-2013-4145 swfupload KedAns-Dz XSS CVE-2013-4146 swfupload KedAns-Dz CSRFCVE-2013-4145 (XSS) is actually CVE-2012-2399. And, CVE-2013-4146 (CSRF) seems to be just the potential for CSRF via XSS -- don't think this is a separate issue. Neither of those are reproducible in https://github.com/wordpress/secure-swfupload. We're aware of CVE-2013-4144 and intend to fix it soon, but it's really tough to classify "image injection" as a serious vulnerability without there being any actual XSS there to further trick the user.Also alerting WordPress.Thank you.
Current thread:
- SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Kurt Seifried (Jul 18)
- Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Andrew Nacin (Jul 18)
- RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Christey, Steven M. (Jul 18)
- Re: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Andrew Nacin (Jul 18)
- RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Christey, Steven M. (Jul 18)
- Re: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Kurt Seifried (Jul 18)
- Re: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Reed Loden (Jul 18)
- RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Christey, Steven M. (Jul 19)
- RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Christey, Steven M. (Jul 18)
- Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Andrew Nacin (Jul 18)