Date: Wed, 10 Jun 2015 16:29:34 +0200 From: Sebastian Wolfgang Kraemer | HSASec <Sebastian.Kraemer@...Augsburg.de> To: cve-assign@...re.org CC: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "Michael.Kapfer@...augsburg.de" <Michael.Kapfer@...augsburg.de>, Gordon Rohrmair <gordonthomas.rohrmair@...augsburg.de> Subject: CVE Request: Arbitrary file upload in Wordpress 4.1.1 Greetings, referring to your mail (http://www.openwall.com/lists/oss-security/2015/04/28/7) > Date: Tue, 28 Apr 2015 15:27:03 -0400 (EDT) > From: cve-assign@...re.org > To: carnil@...ian.org > Cc: cve-assign@...re.org, oss-security@...ts.openwall.com > Subject: Re: Possible CVE Request: Wordpress 4.1.2 security release we want to request a CVE for the vulnerability discussed in your mail: > > In WordPress 4.1 and higher, files with invalid or unsafe names could > > be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of > > HSASec. The vulnerability was fixed with the update 4.1.2 and was (according to your assumption) located in this call graph: ￼ - /wp-admin/async-upload.php : (Index) - - /wp-admin/includes/ajax-actions.php : wp_ajax_upload_attachment - - - /wp-includes/functions.php : wp_check_filetype_and_ext - - - - /wp-includes/functions.php : wp_check_filetype The validation of filenames in "/wp-includes/functions.php : wp_check_filetype" failed under certain circumstances if the user provided filename contains special chars of regular expressions. Exploiting this vulnerability enables users with any fileupload-privilege to upload and execute any type of files. This results in the ability of executing arbitrary code. Researchers: * Sebastian Kraemer (https://www.HSASec.de) * Michael Kapfer (https://www.HSASec.de) Best regards, Michael Kapfer & Sebastian Kraemer (https://www.HSASec.de) Download attachment "smime.p7s" of type "application/pkcs7-signature" (5123 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ