Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 21 Jun 2015 18:00:51 -0500
From: "sec@...entropy.us" <sec@...entropy.us>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Yoast Wordpress SEO Plugin <= 2.1.1 Stored, Authenticated XSS

Thank you for investigating. I agree that since this was never patched there don't need to be two separate CVE identifiers, but it does seem a little odd to create a new 2012 CVE. In any case, at least it now has an identifier.

Thanks again,
Charles

> On Jun 21, 2015, at 10:59 AM, cve-assign@...re.org wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>> https://inventropy.us/blog/yoast-seo-plugin-cross-site-scripting-vulnerability/
>> https://wordpress.org/plugins/wordpress-seo/changelog/
> 
> See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6692 for
> the XSS issue related to the "everyone can make a post. This post is
> then validate by an admin user. So everyone can use the security
> breach to execute javascript in admin" threat model on the
> https://wordpress.org/support/topic/security-issue-with-post-title-field-xss-vulnerability
> page from 2012-10-31.
> 
> It appears that the outcome is that the XSS payload is stored and then
> immediately reflected. Probably the highest risk is from the stored
> XSS, but the reflected aspect is also relevant if the admin encounters
> a malicious web site while logged into WordPress.
> 
> However, that 2012-10-31 page also says:
> 
>  - connect you on admin of your site
>  - go to url : [www.yoursite.com]/wp-admin/post-new.php?post_title=<script>alert('There is a problem');</script>
>  - The alert message is displaying !
> 
>  => CSRF : http://en.wikipedia.org/wiki/Cross-site_request_forgery
> 
> Is (or was) there a separate CSRF vulnerability, of interest to an
> attacker who wants to make a post (without any XSS payload) with the
> admin's credentials?
> 
> 
> Finally, you mentioned:
> 
>> the plugin author said that it had already been patched at the time.
> 
>>> This was already patched in 1.3
> 
> Apparently this refers to:
> 
>  http://plugins.svn.wordpress.org/wordpress-seo/trunk/changelog.txt
> 
>  = 1.3 =
> 
>  * Long list of small fixes and improvements to code best practices
>  after Sucuri review. Fixes 3 small security issues.
> 
> We don't know whether there was an earlier incomplete fix to the
> metabox functionality, so we aren't currently assigning a different
> CVE ID for versions before 1.3.
> 
> - -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (SunOS)
> 
> iQEcBAEBAgAGBQJVht6kAAoJEKllVAevmvmska0IALWeV0XUgZnR55gmkkcG3eQj
> zYKi+tIF3l6+e15h5JjxFcdvoND+DqyMgpko+0Y5qO+ret/lFRPWjfZi8IE/QLXl
> FNiCSKA9k0s+cte+rcsI+UPp3iUC9aG0XkHCD0s5HU27Zd2N6dzWJiJEyy+x9LzN
> ERt20Vmb/zgh2oI5CWzFgtyLE4dQ6svJG9EKEtZxDaBJWFKB2icbpQ0Bwztwsbe4
> eWjaQnMF+vwb7jFJL99TXzDKFuyVIg9fIOlBj7bEHXSTmhkFiilVaXMF/n2LKIxa
> oKrgmmQ9DkZtjPJeBWM7uEiDg6gj5I/+sJ6XIqLzCr5PKsSJIxMq3dVvfTOwkSc=
> =TGMg
> -----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ