Date: Thu, 27 Nov 2014 02:12:27 +0200 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: ryan@...hurstsecurity.com, hugo.s@...uxmail.org Subject: Please reject CVE-2014-8585 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mitre, Please REJECT CVE-2014-8585, thanks. Directory traversal vulnerability in the WordPress Download Manager plugin for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the fname parameter to (1) views/file_download.php or (2) file_download.php. File file_download.php is not available in any version of WordPress plugin "download-manager" checked SVN and latest 2.7.4 version from https://wordpress.org/plugins/download-manager/ PoC refers to random WordPress installation with plugin named "document_manager", which is indeed vulnerable. I sent abuse emails to few affected targets. Plugin "document_manager" is custom and not available in WP plugin repository. This was noticed during http://www.wpscan.org/ development. If I am correct OSVDB item refers to issue listed in vexatioustendencies.com, which has different attack scenario and payloads. References: - - http://osvdb.org/111215 - - http://secunia.com/advisories/59925/ - - http://packetstormsecurity.com/files/128852/WordPress-Download-Manager-Arbitrary-File-Download.html - - https://vexatioustendencies.com/wordpress-plugin-vulnerability-dump-part-2/ - --- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlR2bGsACgkQXf6hBi6kbk/6tgCeL3A5Wuw10z9lth01PfcZ73XX MBUAn2RBTmkJAJuwPS/hvaZxg2ycxcVA =upSJ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.