Re: CVE Request - Wordpress 3.5 Full-path disclosure vulnerability

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/20/2013 01:18 PM, Henrique wrote:
> Hello,
>
> This is a request for a CVE for an issue with Wordpress 3.5 (and
> probably earlier versions) that allows a full-path disclosure. The
> issue can be reproduced by accessing the URL as follows:
>
> http://wordpress_site/?s[]=1
>
> producing the error:
>
> Warning: stripslashes() expects parameter 1 to be string, array
> given in /home/gilgamesh/security/wpress/wp-includes/query.php on
> line 2184
>
> Before sanitizing the input, the variables passed should be
> validated that they have the correct type in order to avoid such
> issues.
>
> The wordpress team has already been notified and say they will look
> into the code to improve it.
>
> Regards,
>
> Henrique

I can't get this to work anywhere. Does it require a specific theme or
configuration? Do you have details that can aid in reproduction?



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ/Oo6AAoJEBYNRVNeJnmTrnoQAJTWO+BL07YlQrzHs4kKbgyL
1X6YnOWKnz7WSH5sBPaSg2ziAo+o0unyTEf196YdHWeN2Gj6+O5dcofb1zuZKxy2
0v74bVWsPS5FC40o3sXEXoe9ArBddR9iFr1BGJvD1+0MRjhkp0vFieBqv8Rl/Y6x
QrUwtAOXGxgRVvo7eIpRFjvEhhKYLA1UIfuhMfMOw6T+3iWk4h2Nf52RRdF1WUTW
KIJdVbcoPuUjbXJgylEqGt7di1XuAdjwIZlyyU1dXkNF1MRqb85kGXf+PIjFl2aK
E9dOnUakMEYWR69cxhid1M7+9vtOUC6ABluxEu5xk1w4RMSWusWjQr7Fl9ZupGpb
ZATGXzxbyiBsbsvZwbazBJeYOlAeABZFmGx3AWoTaXDeF+4murBMpIxIRf8UOyuA
epFnbicPVDEAeAYiHQaoYiGtk6DTP8aH960TI10I4PZruxJO8hqLASx3x03gmZUB
yFtmjv66IJECpw7XFTW3JjRlavVjeIzY2ooy3OputDCAxmc2n+9M2wP/YngR//qD
dvkZ226/bgdzTanP4oaKT42v+UKIu7NEIQz6BCCQzcNJQQn6NsEjyjvv7wM3S7d0
DqS8Aq2b46RpbU05sDayEnibIh7RiGLNMQ6OpOPLgZVR62WMpacpBH4cMI4khB9u
yHIVhZMm7R0hoIFlRHE9
=IGxe
-----END PGP SIGNATURE-----