Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 28 Jan 2013 23:50:26 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Andrew Nacin <nacin@...dpress.org>, Henri Salo <henri@...v.fi>,
        WordPress Security Team <security@...dpress.org>
Subject: Re: CVE request: WordPress 3.5.1 Maintenance and Security
 Release

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/26/2013 01:13 PM, Andrew Nacin wrote:
> On Sat, Jan 26, 2013 at 2:19 AM, Kurt Seifried
> <kseifried@...hat.com> wrote:
> 
>>> - A server-side request forgery vulnerability and remote port 
>>> scanning using pingbacks. This vulnerability, which could 
>>> potentially be used to expose information and compromise a
>>> site, affects all previous WordPress versions. This was fixed
>>> by the WordPress security team. Wed like to thank security
>>> researchers Gennady Kovshenin and Ryan Dewhurst for reviewing
>>> our work.
>> 
>> Basically it applies filters to pingbacks, things like:
>> 
>> return new IXR_Error(33, __('The specified target URL cannot be
>> used as a target. It either doesn't exist, or it is not a
>> pingback-enabled resource.')); so I was largely abl to confirm
>> this one.
> 
> 
> The primary fix is to better validate a URL before triggering an
> HTTP request to it. You can see this with the filter and function 
> pingback_ping_source_uri in
> http://core.trac.wordpress.org/changeset/23330. It blocks
> credentials, odd ports, RFC1918 IPs, etc. Turning the error 
> messages into generic errors was an additional defensive measure
> but due to the other fixes, does not address a particular
> vulnerability.
> 
> What these fixes target have already been written about publicly: 
> http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/
>
> 
http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

Please use CVE-2013-0235 for this issue

>> - Two instances of cross-site scripting via shortcodes and post
>>> content. These issues were discovered by Jon Cave of the
>>> WordPress security team.
>> 
> 
> I found one instance of esc_attr() to esc_url() on a url used in
>> embedded media, I'm guessing this is the XSS mentioned in the 
>> description as "post content"?
>> 
> 
> That was one  http://core.trac.wordpress.org/changeset/23322. The
> other was http://core.trac.wordpress.org/changeset/23317, which
> serves to fully validate HTML tags passed to a shortcode and reject
> exploitative values.
> 
> All I'm seeing for shortcodes related junk is in a big JavaScript
> blob
>> wp-35/wp-includes/js/media-editor.min.js. It looks like this
>> might need two CVEs if they are widely different.
>> 
> 
> The changes in media-editor.min.js are bug fixes and not related
> to security. They may be seen in uncompressed form here: 
> http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.5%2Fwp-includes%2Fjs%2Fmedia-editor.js&new_path=%2Ftags%2F3.5.1%2Fwp-includes%2Fjs%2Fmedia-editor.js

Same
> 
vuln type (XSS), same researcher, same version, CVE MERGE. Please
use CVE-2013-0236 for this issue.

>> - A cross-site scripting vulnerability in the external library
>>> Plupload. Thanks to the Moxiecode team for working with us on
>>> this, and for releasing Plupload 1.5.5 to address this issue.
> 
> 
>> The diff for plupload is a mess of JavaScript/binary files so I
>> can't confirm much.
>> 
> 
> The security fix was specific to the Flash binary. Here is the
> upstream commit:
> https://github.com/moxiecode/plupload/commit/2d746ee. Exploit 
> occurs with uplupload.flash.js?id=XSS, using the attack described
> here: 
> http://lcamtuf.blogspot.se/2011/03/other-reason-to-beware-of.html.

Please use CVE-2013-0237 for this issue.

> Regards, Andrew Nacin

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRB3EyAAoJEBYNRVNeJnmTqWUP/RTp5hvRrBl56eCE0CAHCalj
jmc3+mPM+5uRb4tFgTTRnhh0Sww1m6eE+s02CZ0lNvrC70VNBr89+Nz4xuyyZfpI
SVdHhz42veUGUk9nhubGjSNpitdDR+IA4szb33nxDV2q+NGaqz6n2mQ5/zKjWZEf
9HtDEMK3JtjciE1YEyWiqJBLWpp+KjiLXElKjTRYEGRTPDaFtc1eD6xzgKUGjGls
SJRYRR1v7Z1d8JY08dN/Q2IFIhyoZnAK0HaCIo/rsNwBPrSyaRnBm6rNNdM9uYl1
1Hm4beIC/SWBDS27r4yVxPptHJ7PtzwPuiLTkxlwy2TYbwgai79GTXVWUFFXbZ+i
lQzdBqdrBlL28Umf7HqCjxpzwuVWltip9HGz34jLNkPFpD0oPm50gpFoXPIPCaF9
BwT1UO5mo8d+Y5EZz7pAhZmf5e9k2yMJisM4ia3LIvuFTLUunxiXBnn0GKntJG4I
iGsyr13b5jxvuUCi+UF1/rqFlr430KfmV6Wh2+mM9PpI8myHhyjFjUf9oLx7NOB+
Sg1Vdt5spkitOOFrMxthA8hApAOgIHkhzWW44Z+SqKWEHG/7FSjIeBBFHfz7C7y0
IHqCh5kc7oISBVe2HPNN87rIifEGQ8qmv5C8EJL5Jtlxi1tUByi7zICIlgg2pn6A
JG+Y9Gcbv3baCnIdrs+6
=U00O
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ