Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu,  8 Sep 2016 18:16:51 -0400 (EDT)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Persistent Cross-Site Scripting vulnerability in WordPress due to unsafe processing of file names

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/

(Please note the "extra" CVE ID below for the other vulnerability
fixed in 4.6.1.)


> a cross-site scripting vulnerability via image filename, reported by
> SumOfPwn researcher Cengiz Han Sahin

Use CVE-2016-7168.


> lure an admin into uploading the image with the malicious file name

> A WordPress admin uploads a malicious image file requested by a user
> this admin trusts or a popular malicious image that was spread via
> social media.

We are not sure whether this CVE-2016-7168 issue is best interpreted
as a vulnerability. We think it means that the admin has the
unfiltered_html capability, and proceeds with uploading the file even
though its name (which contains an embedded IMG string with
onerror=alert in the PoC) is visible to the admin. It seems to be more
of a design change in which the meaning of unfiltered_html is slightly
redefined, in a way that is helpful to many users but not all.

One counterargument use case is:

  - the admin of WordPress site A observes that all of their images
    are being stolen for use on WordPress site B

  - the process for stealing the images keeps each original filename

  - the admin of WordPress site A specifically wants one image
    filename to contain JavaScript code, as part of an effort to
    identify the operators of WordPress site B (this JavaScript code
    has no effect on site visitors when encountered in the context of
    WordPress site A)

  - the admin of WordPress site A has always relied on the Media
    Upload functionality in wp-admin/media-new.php for entering these
    filenames, and this is now broken with the upgrade to 4.6.1


> a path traversal vulnerability in the upgrade package uploader,
> reported by Dominik Schilling from the WordPress security team

Use CVE-2016-7169.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX0eL2AAoJEHb/MwWLVhi2Lh4P/2cDC6Zf4kN3HFWGcb9W2imm
gzqdAzr2nX29Jj3JDpRuNMEI+2M2eO8uNXCwMbyTd0bOTjtkUsclvnI5uuD/Of6N
J3+uj5h75yHcEaB6sHNnDRYaViUiLaHZEvpTsre+O47p1kQwR8OlTB65W4IkE6bH
NeA0K/TxpOtoIpPnHtnozgEpjUfTKfyppbyasRs7jxK4y6IG5wsZSjWKR5JjD2i/
0JafwL4KFqRwTDy3DqtRLGzOzL0gQqDPQ4peFK/uvwqDTg/VEUqcgLtvovX2PZes
VJWfqAjH51jXy9/A8MFyZqkpZQ71miNe+K2edMXSeXWps6YEjP/UH/zgDCg7HXof
2e3j7l37sN3Z2KYZcD0qnd7ZhYmSgfpadOP9XFAj/jd9Fp5m/laU8uu+JjHBKntZ
Iy30HYcNJpVvysoBtFFEW49ehjVbRMtfYMlK0I9cZmWMWPK9U98HstQlD67jkzkc
FpBI5wt/YNZFRzVCBu/NnvgYxP78/tF++gvKz9xc0k7xv6DDxbUwd5EcTKD15nJU
DT0s4kFfaFGEbPOY42XCPdKLpF30tQnsYduoFJNGJSW84sY8P+E0t0vh8dIUgeni
iyboz/dba+EAqfmVnDz38f2aR+hv14B7xxdGwBhEr0Z9tFtW7bnLp3KOKMuw/m5s
nVA/yYzhdOE+0L98iiGf
=g17f
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.