Re: CVE request: WordPress 3.5.1 Maintenance and Security Release

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/26/2013 01:13 PM, Andrew Nacin wrote:
> On Sat, Jan 26, 2013 at 2:19 AM, Kurt Seifried
> <kseifried () redhat com> wrote:
>
> > > - A server-side request forgery vulnerability and remote port 
> > > scanning using pingbacks. This vulnerability, which could 
> > > potentially be used to expose information and compromise a
> > > site, affects all previous WordPress versions. This was fixed
> > > by the WordPress security team. We’d like to thank security
> > > researchers Gennady Kovshenin and Ryan Dewhurst for reviewing
> > > our work.
> >
> > Basically it applies filters to pingbacks, things like:
> >
> > return new IXR_Error(33, __('The specified target URL cannot be
> > used as a target. It either doesn't exist, or it is not a
> > pingback-enabled resource.')); so I was largely abl to confirm
> > this one.
>
>
> The primary fix is to better validate a URL before triggering an
> HTTP request to it. You can see this with the filter and function 
> pingback_ping_source_uri in
> http://core.trac.wordpress.org/changeset/23330. It blocks
> credentials, odd ports, RFC1918 IPs, etc. Turning the error 
> messages into generic errors was an additional defensive measure
> but due to the other fixes, does not address a particular
> vulnerability.
>
> What these fixes target have already been written about publicly: 
> http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/
http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

Please use CVE-2013-0235 for this issue

> > - Two instances of cross-site scripting via shortcodes and post
> > > content. These issues were discovered by Jon Cave of the
> > > WordPress security team.
>
> I found one instance of esc_attr() to esc_url() on a url used in
> > embedded media, I'm guessing this is the XSS mentioned in the 
> > description as "post content"?
>
> That was one — http://core.trac.wordpress.org/changeset/23322. The
> other was http://core.trac.wordpress.org/changeset/23317, which
> serves to fully validate HTML tags passed to a shortcode and reject
> exploitative values.
>
> All I'm seeing for shortcodes related junk is in a big JavaScript
> blob
> > wp-35/wp-includes/js/media-editor.min.js. It looks like this
> > might need two CVEs if they are widely different.
>
> The changes in media-editor.min.js are bug fixes and not related
> to security. They may be seen in uncompressed form here: 
> http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.5%2Fwp-includes%2Fjs%2Fmedia-editor.js&new_path=%2Ftags%2F3.5.1%2Fwp-includes%2Fjs%2Fmedia-editor.js

Same
>
vuln type (XSS), same researcher, same version, CVE MERGE. Please
use CVE-2013-0236 for this issue.

> > - A cross-site scripting vulnerability in the external library
> > > Plupload. Thanks to the Moxiecode team for working with us on
> > > this, and for releasing Plupload 1.5.5 to address this issue.
>
>
> > The diff for plupload is a mess of JavaScript/binary files so I
> > can't confirm much.
>
> The security fix was specific to the Flash binary. Here is the
> upstream commit:
> https://github.com/moxiecode/plupload/commit/2d746ee. Exploit 
> occurs with uplupload.flash.js?id=XSS, using the attack described
> here: 
> http://lcamtuf.blogspot.se/2011/03/other-reason-to-beware-of.html.

Please use CVE-2013-0237 for this issue.

> Regards, Andrew Nacin

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRB3EyAAoJEBYNRVNeJnmTqWUP/RTp5hvRrBl56eCE0CAHCalj
jmc3+mPM+5uRb4tFgTTRnhh0Sww1m6eE+s02CZ0lNvrC70VNBr89+Nz4xuyyZfpI
SVdHhz42veUGUk9nhubGjSNpitdDR+IA4szb33nxDV2q+NGaqz6n2mQ5/zKjWZEf
9HtDEMK3JtjciE1YEyWiqJBLWpp+KjiLXElKjTRYEGRTPDaFtc1eD6xzgKUGjGls
SJRYRR1v7Z1d8JY08dN/Q2IFIhyoZnAK0HaCIo/rsNwBPrSyaRnBm6rNNdM9uYl1
1Hm4beIC/SWBDS27r4yVxPptHJ7PtzwPuiLTkxlwy2TYbwgai79GTXVWUFFXbZ+i
lQzdBqdrBlL28Umf7HqCjxpzwuVWltip9HGz34jLNkPFpD0oPm50gpFoXPIPCaF9
BwT1UO5mo8d+Y5EZz7pAhZmf5e9k2yMJisM4ia3LIvuFTLUunxiXBnn0GKntJG4I
iGsyr13b5jxvuUCi+UF1/rqFlr430KfmV6Wh2+mM9PpI8myHhyjFjUf9oLx7NOB+
Sg1Vdt5spkitOOFrMxthA8hApAOgIHkhzWW44Z+SqKWEHG/7FSjIeBBFHfz7C7y0
IHqCh5kc7oISBVe2HPNN87rIifEGQ8qmv5C8EJL5Jtlxi1tUByi7zICIlgg2pn6A
JG+Y9Gcbv3baCnIdrs+6
=U00O
-----END PGP SIGNATURE-----