oss-sec mailing list archives
Re: Persistent Cross-Site Scripting vulnerability in WordPress due to unsafe processing of file names
From: cve-assign () mitre org
Date: Thu, 8 Sep 2016 18:16:51 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
(Please note the "extra" CVE ID below for the other vulnerability fixed in 4.6.1.)
a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin
Use CVE-2016-7168.
lure an admin into uploading the image with the malicious file name
A WordPress admin uploads a malicious image file requested by a user this admin trusts or a popular malicious image that was spread via social media.
We are not sure whether this CVE-2016-7168 issue is best interpreted as a vulnerability. We think it means that the admin has the unfiltered_html capability, and proceeds with uploading the file even though its name (which contains an embedded IMG string with onerror=alert in the PoC) is visible to the admin. It seems to be more of a design change in which the meaning of unfiltered_html is slightly redefined, in a way that is helpful to many users but not all. One counterargument use case is: - the admin of WordPress site A observes that all of their images are being stolen for use on WordPress site B - the process for stealing the images keeps each original filename - the admin of WordPress site A specifically wants one image filename to contain JavaScript code, as part of an effort to identify the operators of WordPress site B (this JavaScript code has no effect on site visitors when encountered in the context of WordPress site A) - the admin of WordPress site A has always relied on the Media Upload functionality in wp-admin/media-new.php for entering these filenames, and this is now broken with the upgrade to 4.6.1
a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team
Use CVE-2016-7169. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJX0eL2AAoJEHb/MwWLVhi2Lh4P/2cDC6Zf4kN3HFWGcb9W2imm gzqdAzr2nX29Jj3JDpRuNMEI+2M2eO8uNXCwMbyTd0bOTjtkUsclvnI5uuD/Of6N J3+uj5h75yHcEaB6sHNnDRYaViUiLaHZEvpTsre+O47p1kQwR8OlTB65W4IkE6bH NeA0K/TxpOtoIpPnHtnozgEpjUfTKfyppbyasRs7jxK4y6IG5wsZSjWKR5JjD2i/ 0JafwL4KFqRwTDy3DqtRLGzOzL0gQqDPQ4peFK/uvwqDTg/VEUqcgLtvovX2PZes VJWfqAjH51jXy9/A8MFyZqkpZQ71miNe+K2edMXSeXWps6YEjP/UH/zgDCg7HXof 2e3j7l37sN3Z2KYZcD0qnd7ZhYmSgfpadOP9XFAj/jd9Fp5m/laU8uu+JjHBKntZ Iy30HYcNJpVvysoBtFFEW49ehjVbRMtfYMlK0I9cZmWMWPK9U98HstQlD67jkzkc FpBI5wt/YNZFRzVCBu/NnvgYxP78/tF++gvKz9xc0k7xv6DDxbUwd5EcTKD15nJU DT0s4kFfaFGEbPOY42XCPdKLpF30tQnsYduoFJNGJSW84sY8P+E0t0vh8dIUgeni iyboz/dba+EAqfmVnDz38f2aR+hv14B7xxdGwBhEr0Z9tFtW7bnLp3KOKMuw/m5s nVA/yYzhdOE+0L98iiGf =g17f -----END PGP SIGNATURE-----
Current thread:
- Persistent Cross-Site Scripting vulnerability in WordPress due to unsafe processing of file names Summer of Pwnage (Sep 08)
- Re: Persistent Cross-Site Scripting vulnerability in WordPress due to unsafe processing of file names cve-assign (Sep 08)