CVE Request: Arbitrary file upload in Wordpress 4.1.1

[Sebastian Wolfgang Kraemer | HSASec <Sebastian.Kraemer () HS-Augsburg de>]

Greetings,

referring to your mail
(http://www.openwall.com/lists/oss-security/2015/04/28/7)

> Date: Tue, 28 Apr 2015 15:27:03 -0400 (EDT)
> From: cve-assign ()    re org
> To: carnil ()    ian org
> Cc: cve-assign ()    re org, oss-security ()    ts openwall com
> Subject: Re: Possible CVE Request: Wordpress 4.1.2 security release


we want to request a CVE for the vulnerability discussed in your mail:

> > In WordPress 4.1 and higher, files with invalid or unsafe names could
> > be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of
> > HSASec.

The vulnerability was fixed with the update 4.1.2 and was (according to your assumption) located in this call graph:

- /wp-admin/async-upload.php : (Index)
- - /wp-admin/includes/ajax-actions.php : wp_ajax_upload_attachment
- - - /wp-includes/functions.php : wp_check_filetype_and_ext
- - - - /wp-includes/functions.php : wp_check_filetype

The validation of filenames in "/wp-includes/functions.php : wp_check_filetype" failed under certain circumstances if 
the user provided filename contains special chars of regular expressions.
        
Exploiting this vulnerability enables users with any fileupload-privilege to upload and execute any type of files. This 
results in the ability of executing arbitrary code.

                                

Researchers:

* Sebastian Kraemer (https://www.HSASec.de)
* Michael Kapfer (https://www.HSASec.de) 

        

Best regards,
 Michael Kapfer & Sebastian Kraemer 
(https://www.HSASec.de)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature