Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun,  6 Sep 2015 12:58:12 -0400 (EDT)
From: cve-assign@...re.org
To: scott@...iszewski.me
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Some Wordpress Plugin Stuff

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> SecurityMoz Security Audit
> 
> https://wordpress.org/plugins/securemoz-security-audit/
> 
> file_get_contents() + explicitly HTTP (no TLS) -> unserialize()

> http://plugins.svn.wordpress.org/securemoz-security-audit/trunk/class/__functions.php
> 
> unserialize(file_get_contents("http://api.tweetmeme.com/url_info.php?url=$url"));

Use CVE-2015-6828.


> WP Limit Login Attempts
> 
> https://wordpress.org/plugins/wp-limit-login-attempts/
> 
> Trivial SQL injection via HTTP headers.
> 
> $ip = getip();
> 
> SELECT ... WHERE `login_ip` =  '$ip'
> 
> function getip(){
> 
> $ip = $_SERVER['HTTP_CLIENT_IP'];
> $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

Use CVE-2015-6829.


> Also, Tor Blocker (link below) uses HTTP to grab the list of IP addresses
> to block. It's telling and appropriate that the person who developed a
> plugin to oppose a privacy technology would fail to use TLS.
> 
> https://wordpress.org/plugins/tor-exit-nodes-blocker/
> 
> (Surely no one would ever think to hack an upstream router and MitM the
> connection to block the blog administrator from their own blog or allow Tor
> nodes through!)

We don't think that we can assign a CVE ID for this. The product
relies on data at the http://pike.hqpeak.com/api/free.php URL; that
data is not currently available at the
https://pike.hqpeak.com/api/free.php URL or any other HTTPS URL that
we know about. Apparently the risk in using HTTP is
incorrect/incomplete data, not code execution. If MITM attacks occur,
the product user could typically recover from them by deleting
unwanted postings and by establishing their own administrative login
from a different IP address. MITM attacks aren't likely to occur
continuously. Given that the data is only available via HTTP (not
HTTPS) and the product user wants the data, we're unable to reach a
conclusion that the http://pike.hqpeak.com URL is necessarily a
vulnerability without knowing the vendor's perspective. One possible
example is that the vendor didn't want to support HTTPS in case the
plugin became very popular and the pike.hqpeak.com server was unable
to support all of the load of cryptography calculations.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV7G/jAAoJEL54rhJi8gl5zBgP/jrGs9pxHGh/KTnnOPKLPTNN
5m6R05QzpqJKf4/Ztt2T8Ewe/FmHL9XrcWTsz5/VnidxlwdY5/vUGqCpomCYxVn0
T7SU77+AildiPBZOdVrO3i+JRkQZo6k0I77HAmwP94WU9GDY0v2qS3yd2vnYzmtp
KB7jrrBDxMNZ0HqytgtdiTToyta2PrLnQA+fzjf3Z71loQsZw/9w7+IBK9xSOE1o
iZz4h3kocsW0ZijcT4UJ2rD31fLBSYZ8Rzcp39VtzrQkO5tiMCMjLONaeOLF6XuD
9EFPzj4xh9xLa7KytS96+I0Lq0NHM3H8XrACkCYm5kzS9dollzSHUmrJqYWmcrt8
6GCMquPp/52YUzWExNZcmNG/LCecMRfCVMRJaC3wVIb+CPduIdvpQB5n+WVBQf8b
Kwq5sZbtbKWe1W8HMZgr3pRibh1yu+41mSgTsZi+L0uqzkpCdwnLfnLFr19CTdX/
N+Ar0qjmfhz9p4uGfKHcuepy8/mq1JesgiLBbdoM9q3/wnZjJVIp5pqNbli9fqfi
nwLqEzbNucSSqLxTEb4z51DZ/cNcfjcW9IcHwXCgCdNywQ5xwk41F+kW7hNF6PUM
NlCuEgIEreWze/Kberp3PMGjF2OBsQQF4lRZe2xvKJQNfxmGWYrTpZxm3l9Crke0
Tt2OUTb4jvb5AsWl1w3B
=DjqZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ