Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun,  6 Sep 2015 12:58:12 -0400 (EDT)
From: cve-assign@...re.org
To: scott@...iszewski.me
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Some Wordpress Plugin Stuff

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> SecurityMoz Security Audit
> 
> https://wordpress.org/plugins/securemoz-security-audit/
> 
> file_get_contents() + explicitly HTTP (no TLS) -> unserialize()

> http://plugins.svn.wordpress.org/securemoz-security-audit/trunk/class/__functions.php
> 
> unserialize(file_get_contents("http://api.tweetmeme.com/url_info.php?url=$url"));

Use CVE-2015-6828.


> WP Limit Login Attempts
> 
> https://wordpress.org/plugins/wp-limit-login-attempts/
> 
> Trivial SQL injection via HTTP headers.
> 
> $ip = getip();
> 
> SELECT ... WHERE `login_ip` =  '$ip'
> 
> function getip(){
> 
> $ip = $_SERVER['HTTP_CLIENT_IP'];
> $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

Use CVE-2015-6829.


> Also, Tor Blocker (link below) uses HTTP to grab the list of IP addresses
> to block. It's telling and appropriate that the person who developed a
> plugin to oppose a privacy technology would fail to use TLS.
> 
> https://wordpress.org/plugins/tor-exit-nodes-blocker/
> 
> (Surely no one would ever think to hack an upstream router and MitM the
> connection to block the blog administrator from their own blog or allow Tor
> nodes through!)

We don't think that we can assign a CVE ID for this. The product
relies on data at the http://pike.hqpeak.com/api/free.php URL; that
data is not currently available at the
https://pike.hqpeak.com/api/free.php URL or any other HTTPS URL that
we know about. Apparently the risk in using HTTP is
incorrect/incomplete data, not code execution. If MITM attacks occur,
the product user could typically recover from them by deleting
unwanted postings and by establishing their own administrative login
from a different IP address. MITM attacks aren't likely to occur
continuously. Given that the data is only available via HTTP (not
HTTPS) and the product user wants the data, we're unable to reach a
conclusion that the http://pike.hqpeak.com URL is necessarily a
vulnerability without knowing the vendor's perspective. One possible
example is that the vendor didn't want to support HTTPS in case the
plugin became very popular and the pike.hqpeak.com server was unable
to support all of the load of cryptography calculations.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV7G/jAAoJEL54rhJi8gl5zBgP/jrGs9pxHGh/KTnnOPKLPTNN
5m6R05QzpqJKf4/Ztt2T8Ewe/FmHL9XrcWTsz5/VnidxlwdY5/vUGqCpomCYxVn0
T7SU77+AildiPBZOdVrO3i+JRkQZo6k0I77HAmwP94WU9GDY0v2qS3yd2vnYzmtp
KB7jrrBDxMNZ0HqytgtdiTToyta2PrLnQA+fzjf3Z71loQsZw/9w7+IBK9xSOE1o
iZz4h3kocsW0ZijcT4UJ2rD31fLBSYZ8Rzcp39VtzrQkO5tiMCMjLONaeOLF6XuD
9EFPzj4xh9xLa7KytS96+I0Lq0NHM3H8XrACkCYm5kzS9dollzSHUmrJqYWmcrt8
6GCMquPp/52YUzWExNZcmNG/LCecMRfCVMRJaC3wVIb+CPduIdvpQB5n+WVBQf8b
Kwq5sZbtbKWe1W8HMZgr3pRibh1yu+41mSgTsZi+L0uqzkpCdwnLfnLFr19CTdX/
N+Ar0qjmfhz9p4uGfKHcuepy8/mq1JesgiLBbdoM9q3/wnZjJVIp5pqNbli9fqfi
nwLqEzbNucSSqLxTEb4z51DZ/cNcfjcW9IcHwXCgCdNywQ5xwk41F+kW7hNF6PUM
NlCuEgIEreWze/Kberp3PMGjF2OBsQQF4lRZe2xvKJQNfxmGWYrTpZxm3l9Crke0
Tt2OUTb4jvb5AsWl1w3B
=DjqZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.