Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 28 Jan 2013 23:50:26 -0700
From: Kurt Seifried <>
CC: Andrew Nacin <>, Henri Salo <>,
        WordPress Security Team <>
Subject: Re: CVE request: WordPress 3.5.1 Maintenance and Security

Hash: SHA1

On 01/26/2013 01:13 PM, Andrew Nacin wrote:
> On Sat, Jan 26, 2013 at 2:19 AM, Kurt Seifried
> <> wrote:
>>> - A server-side request forgery vulnerability and remote port 
>>> scanning using pingbacks. This vulnerability, which could 
>>> potentially be used to expose information and compromise a
>>> site, affects all previous WordPress versions. This was fixed
>>> by the WordPress security team. Wed like to thank security
>>> researchers Gennady Kovshenin and Ryan Dewhurst for reviewing
>>> our work.
>> Basically it applies filters to pingbacks, things like:
>> return new IXR_Error(33, __('The specified target URL cannot be
>> used as a target. It either doesn't exist, or it is not a
>> pingback-enabled resource.')); so I was largely abl to confirm
>> this one.
> The primary fix is to better validate a URL before triggering an
> HTTP request to it. You can see this with the filter and function 
> pingback_ping_source_uri in
> It blocks
> credentials, odd ports, RFC1918 IPs, etc. Turning the error 
> messages into generic errors was an additional defensive measure
> but due to the other fixes, does not address a particular
> vulnerability.
> What these fixes target have already been written about publicly: 

Please use CVE-2013-0235 for this issue

>> - Two instances of cross-site scripting via shortcodes and post
>>> content. These issues were discovered by Jon Cave of the
>>> WordPress security team.
> I found one instance of esc_attr() to esc_url() on a url used in
>> embedded media, I'm guessing this is the XSS mentioned in the 
>> description as "post content"?
> That was one The
> other was, which
> serves to fully validate HTML tags passed to a shortcode and reject
> exploitative values.
> All I'm seeing for shortcodes related junk is in a big JavaScript
> blob
>> wp-35/wp-includes/js/media-editor.min.js. It looks like this
>> might need two CVEs if they are widely different.
> The changes in media-editor.min.js are bug fixes and not related
> to security. They may be seen in uncompressed form here: 

vuln type (XSS), same researcher, same version, CVE MERGE. Please
use CVE-2013-0236 for this issue.

>> - A cross-site scripting vulnerability in the external library
>>> Plupload. Thanks to the Moxiecode team for working with us on
>>> this, and for releasing Plupload 1.5.5 to address this issue.
>> The diff for plupload is a mess of JavaScript/binary files so I
>> can't confirm much.
> The security fix was specific to the Flash binary. Here is the
> upstream commit:
> Exploit 
> occurs with uplupload.flash.js?id=XSS, using the attack described
> here: 

Please use CVE-2013-0237 for this issue.

> Regards, Andrew Nacin

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ