oss-sec mailing list archives
Re: CVE request: WordPress 3.5.1 Maintenance and Security Release
From: Andrew Nacin <nacin () wordpress org>
Date: Sat, 26 Jan 2013 15:13:13 -0500
On Sat, Jan 26, 2013 at 2:19 AM, Kurt Seifried <kseifried () redhat com> wrote:
- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.Basically it applies filters to pingbacks, things like: return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn't exist, or it is not a pingback-enabled resource.')); so I was largely abl to confirm this one.
The primary fix is to better validate a URL before triggering an HTTP request to it. You can see this with the filter and function pingback_ping_source_uri in http://core.trac.wordpress.org/changeset/23330. It blocks credentials, odd ports, RFC1918 IPs, etc. Turning the error messages into generic errors was an additional defensive measure but due to the other fixes, does not address a particular vulnerability. What these fixes target have already been written about publicly: http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/ http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html
- Two instances of cross-site scripting via shortcodes and postcontent. These issues were discovered by Jon Cave of the WordPress security team.
I found one instance of esc_attr() to esc_url() on a url used in
embedded media, I'm guessing this is the XSS mentioned in the description as "post content"?
That was one — http://core.trac.wordpress.org/changeset/23322. The other was http://core.trac.wordpress.org/changeset/23317, which serves to fully validate HTML tags passed to a shortcode and reject exploitative values. All I'm seeing for shortcodes related junk is in a big JavaScript blob
wp-35/wp-includes/js/media-editor.min.js. It looks like this might need two CVEs if they are widely different.
The changes in media-editor.min.js are bug fixes and not related to security. They may be seen in uncompressed form here: http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.5%2Fwp-includes%2Fjs%2Fmedia-editor.js&new_path=%2Ftags%2F3.5.1%2Fwp-includes%2Fjs%2Fmedia-editor.js .
- A cross-site scripting vulnerability in the external libraryPlupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
The diff for plupload is a mess of JavaScript/binary files so I can't confirm much.
The security fix was specific to the Flash binary. Here is the upstream commit: https://github.com/moxiecode/plupload/commit/2d746ee. Exploit occurs with uplupload.flash.js?id=XSS, using the attack described here: http://lcamtuf.blogspot.se/2011/03/other-reason-to-beware-of.html. Regards, Andrew Nacin
Current thread:
- CVE request: WordPress 3.5.1 Maintenance and Security Release Henri Salo (Jan 25)
- Re: CVE request: WordPress 3.5.1 Maintenance and Security Release Kurt Seifried (Jan 25)
- Re: CVE request: WordPress 3.5.1 Maintenance and Security Release Andrew Nacin (Jan 26)
- Re: CVE request: WordPress 3.5.1 Maintenance and Security Release Kurt Seifried (Jan 28)
- Re: CVE request: WordPress 3.5.1 Maintenance and Security Release Andrew Nacin (Jan 26)
- Re: CVE request: WordPress 3.5.1 Maintenance and Security Release Kurt Seifried (Jan 25)