Re: Persistent Cross-Site Scripting vulnerability in WordPress due to unsafe processing of file names

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/

(Please note the "extra" CVE ID below for the other vulnerability
fixed in 4.6.1.)


> a cross-site scripting vulnerability via image filename, reported by
> SumOfPwn researcher Cengiz Han Sahin

Use CVE-2016-7168.


> lure an admin into uploading the image with the malicious file name

> A WordPress admin uploads a malicious image file requested by a user
> this admin trusts or a popular malicious image that was spread via
> social media.

We are not sure whether this CVE-2016-7168 issue is best interpreted
as a vulnerability. We think it means that the admin has the
unfiltered_html capability, and proceeds with uploading the file even
though its name (which contains an embedded IMG string with
onerror=alert in the PoC) is visible to the admin. It seems to be more
of a design change in which the meaning of unfiltered_html is slightly
redefined, in a way that is helpful to many users but not all.

One counterargument use case is:

  - the admin of WordPress site A observes that all of their images
    are being stolen for use on WordPress site B

  - the process for stealing the images keeps each original filename

  - the admin of WordPress site A specifically wants one image
    filename to contain JavaScript code, as part of an effort to
    identify the operators of WordPress site B (this JavaScript code
    has no effect on site visitors when encountered in the context of
    WordPress site A)

  - the admin of WordPress site A has always relied on the Media
    Upload functionality in wp-admin/media-new.php for entering these
    filenames, and this is now broken with the upgrade to 4.6.1


> a path traversal vulnerability in the upgrade package uploader,
> reported by Dominik Schilling from the WordPress security team

Use CVE-2016-7169.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX0eL2AAoJEHb/MwWLVhi2Lh4P/2cDC6Zf4kN3HFWGcb9W2imm
gzqdAzr2nX29Jj3JDpRuNMEI+2M2eO8uNXCwMbyTd0bOTjtkUsclvnI5uuD/Of6N
J3+uj5h75yHcEaB6sHNnDRYaViUiLaHZEvpTsre+O47p1kQwR8OlTB65W4IkE6bH
NeA0K/TxpOtoIpPnHtnozgEpjUfTKfyppbyasRs7jxK4y6IG5wsZSjWKR5JjD2i/
0JafwL4KFqRwTDy3DqtRLGzOzL0gQqDPQ4peFK/uvwqDTg/VEUqcgLtvovX2PZes
VJWfqAjH51jXy9/A8MFyZqkpZQ71miNe+K2edMXSeXWps6YEjP/UH/zgDCg7HXof
2e3j7l37sN3Z2KYZcD0qnd7ZhYmSgfpadOP9XFAj/jd9Fp5m/laU8uu+JjHBKntZ
Iy30HYcNJpVvysoBtFFEW49ehjVbRMtfYMlK0I9cZmWMWPK9U98HstQlD67jkzkc
FpBI5wt/YNZFRzVCBu/NnvgYxP78/tF++gvKz9xc0k7xv6DDxbUwd5EcTKD15nJU
DT0s4kFfaFGEbPOY42XCPdKLpF30tQnsYduoFJNGJSW84sY8P+E0t0vh8dIUgeni
iyboz/dba+EAqfmVnDz38f2aR+hv14B7xxdGwBhEr0Z9tFtW7bnLp3KOKMuw/m5s
nVA/yYzhdOE+0L98iiGf
=g17f
-----END PGP SIGNATURE-----