Re: WP-Super-Cache XSS and Remote Code Exec

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2013 12:30 PM, Kurt Seifried wrote:
> Is there any way to get the WordPress community involved in
> actually handling security issues properly? E.g. requesting CVE's,
> or heck, I'll settle for being notified via email directly. I found
> out about this stuff on Reddit (linked to Tony Perez's blog
> posting) so I read the code and voila:
>
> ===============================================================
>
> WP-Super-Cache XSS 1.3 Fixed in 1.3.1 with code changes like: 
> -<form name="wp_manager" action="<?php echo $_SERVER[ "REQUEST_URI"
> ]; ?>" method="post"> +<form name="wp_manager" action=""
> method="post">
>
> Please use CVE-2013-2008 for this issue.
>
> ===============================================================
>
> WP-Super-Cache 1.2 Remote Code Execution Fixed in 1.3: +2013-04-11
> 10:39  donncha + +       * wp-cache.php: Remove mfunc, mclude and
> dynamic-cached-content +         tags from comments. Props Frank
> Goossen + 
> (http://blog.futtta.be/2013/04/10/wp-safer-cache-stopgap-for-wordpress-cache-plugins-vulnerability/)
+         and kisscsaby
> +         (http://wordpress.org/support/topic/pwn3d?replies=6)
>
> http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
>
>  To test leave a comment like: <!?mfunc echo PHP_VERSION;
> ?><!?/mfunc?>
>
> To fix it they added a mfunc filter in
> wp-super-cache-1.3/wp-cache.php:
>
> +add_filter( 'preprocess_comment','no_mfunc_in_comments' ); 
> +add_filter( 'comment_text','no_mfunc_in_comments' ); +add_filter(
> 'comment_excerpt','no_mfunc_in_comments' ); +add_filter(
> 'comment_text_rss','no_mfunc_in_comments' );
>
> Please use CVE-2013-2009 for this issue.

Forgot to include link to source code:
http://wordpress.org/extend/plugins/wp-super-cache/


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReCjCAAoJEBYNRVNeJnmT/FkP/0T/8f6I+LZyvT1hRLGK2YrW
If+fHmm8th+K+Bz2sP1FHovABKcfJEupDncEqlj8wobK3Up0HHfpykYYLhlvp7S2
ldkAiC/mHd2O/JwB4ZZkmjccHS0kqmYJ0MOokO+iphRD1URUKxQgQT+G+w6dGOeO
6v48WDwZmVSB82Ttp0waJp0XtJ1rQGoKGVgCE0ytdrBG1MIjDI5g1U2VquaApL8+
75rUECFtdRCxIpZ/uZ+l/uW7C/jWOzSnKFtWG/kvXypgVtcTH7EFIClvbf+sJkYh
0NFzpWLl+B66XG7YBKtvWvQzF2h0tuKCsio8kOYZhP3nMzqhIoSnaDaor6gEMK4h
L45rTI0ql/Kgoh2FZiAsG89z961AhdHdL479LC/jING3xDQwWQF6I4lHfzWxwPdD
ZajFH+1bS804UNdYLaNzxMMUF3+vaVLycfdQWF7WFjCVzh2eikBgq0nAacLBWLGn
JC5WUgf6BY7ZfEMmyhGIGiwOCIPjQZ6SRmybZ10c+x5WxRkrGFkOIYe2noUvJwh7
S2GogHA4oRkWF3ZVyXWrcqPGSgpZRGVsK8kUEv7VOtFP8wB/oRPJwUDCfiNu9+C3
b3lNPt/a0Z64lmKBpvQbMFyW3bmCu+T6JOVFB9+wh6ao9StkwKenRZSsA22J/U7X
/nfV/pyjwQubk3/nifp2
=/PBV
-----END PGP SIGNATURE-----