Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 27 Nov 2014 02:12:27 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: ryan@...hurstsecurity.com, hugo.s@...uxmail.org
Subject: Please reject CVE-2014-8585

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mitre,

Please REJECT CVE-2014-8585, thanks.

Directory traversal vulnerability in the WordPress Download Manager plugin for
WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in
the fname parameter to (1) views/file_download.php or (2) file_download.php.

File file_download.php is not available in any version of WordPress plugin
"download-manager" checked SVN and latest 2.7.4 version from
https://wordpress.org/plugins/download-manager/

PoC refers to random WordPress installation with plugin named
"document_manager", which is indeed vulnerable. I sent abuse emails to few
affected targets. Plugin "document_manager" is custom and not available in WP
plugin repository.

This was noticed during http://www.wpscan.org/ development.

If I am correct OSVDB item refers to issue listed in vexatioustendencies.com,
which has different attack scenario and payloads. 

References:
- - http://osvdb.org/111215
- - http://secunia.com/advisories/59925/
- - http://packetstormsecurity.com/files/128852/WordPress-Download-Manager-Arbitrary-File-Download.html
- - https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlR2bGsACgkQXf6hBi6kbk/6tgCeL3A5Wuw10z9lth01PfcZ73XX
MBUAn2RBTmkJAJuwPS/hvaZxg2ycxcVA
=upSJ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.