Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 10 Jun 2015 16:29:34 +0200
From: Sebastian Wolfgang Kraemer | HSASec <Sebastian.Kraemer@...Augsburg.de>
To: cve-assign@...re.org
CC: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, 
 "Michael.Kapfer@...augsburg.de" <Michael.Kapfer@...augsburg.de>,
 Gordon Rohrmair <gordonthomas.rohrmair@...augsburg.de>
Subject: CVE Request: Arbitrary file upload in Wordpress 4.1.1

Greetings,

referring to your mail
(http://www.openwall.com/lists/oss-security/2015/04/28/7)

> Date: Tue, 28 Apr 2015 15:27:03 -0400 (EDT)
> From: cve-assign@...re.org
> To: carnil@...ian.org
> Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
> Subject: Re: Possible CVE Request: Wordpress 4.1.2 security release


we want to request a CVE for the vulnerability discussed in your mail:

> > In WordPress 4.1 and higher, files with invalid or unsafe names could
> > be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of
> > HSASec.

The vulnerability was fixed with the update 4.1.2 and was (according to your assumption) located in this call graph:

- /wp-admin/async-upload.php : (Index)
- - /wp-admin/includes/ajax-actions.php : wp_ajax_upload_attachment
- - - /wp-includes/functions.php : wp_check_filetype_and_ext
- - - - /wp-includes/functions.php : wp_check_filetype

The validation of filenames in "/wp-includes/functions.php : wp_check_filetype" failed under certain circumstances if the user provided filename contains special chars of regular expressions.
	
Exploiting this vulnerability enables users with any fileupload-privilege to upload and execute any type of files. This results in the ability of executing arbitrary code.

				

Researchers:

* Sebastian Kraemer (https://www.HSASec.de)
* Michael Kapfer (https://www.HSASec.de) 

	

Best regards,
 Michael Kapfer & Sebastian Kraemer 
(https://www.HSASec.de) 



[ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ