Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 28 Jan 2013 23:50:26 -0700
From: Kurt Seifried <>
CC: Andrew Nacin <>, Henri Salo <>,
        WordPress Security Team <>
Subject: Re: CVE request: WordPress 3.5.1 Maintenance and Security

Hash: SHA1

On 01/26/2013 01:13 PM, Andrew Nacin wrote:
> On Sat, Jan 26, 2013 at 2:19 AM, Kurt Seifried
> <> wrote:
>>> - A server-side request forgery vulnerability and remote port 
>>> scanning using pingbacks. This vulnerability, which could 
>>> potentially be used to expose information and compromise a
>>> site, affects all previous WordPress versions. This was fixed
>>> by the WordPress security team. We’d like to thank security
>>> researchers Gennady Kovshenin and Ryan Dewhurst for reviewing
>>> our work.
>> Basically it applies filters to pingbacks, things like:
>> return new IXR_Error(33, __('The specified target URL cannot be
>> used as a target. It either doesn't exist, or it is not a
>> pingback-enabled resource.')); so I was largely abl to confirm
>> this one.
> The primary fix is to better validate a URL before triggering an
> HTTP request to it. You can see this with the filter and function 
> pingback_ping_source_uri in
> It blocks
> credentials, odd ports, RFC1918 IPs, etc. Turning the error 
> messages into generic errors was an additional defensive measure
> but due to the other fixes, does not address a particular
> vulnerability.
> What these fixes target have already been written about publicly: 

Please use CVE-2013-0235 for this issue

>> - Two instances of cross-site scripting via shortcodes and post
>>> content. These issues were discovered by Jon Cave of the
>>> WordPress security team.
> I found one instance of esc_attr() to esc_url() on a url used in
>> embedded media, I'm guessing this is the XSS mentioned in the 
>> description as "post content"?
> That was one — The
> other was, which
> serves to fully validate HTML tags passed to a shortcode and reject
> exploitative values.
> All I'm seeing for shortcodes related junk is in a big JavaScript
> blob
>> wp-35/wp-includes/js/media-editor.min.js. It looks like this
>> might need two CVEs if they are widely different.
> The changes in media-editor.min.js are bug fixes and not related
> to security. They may be seen in uncompressed form here: 

vuln type (XSS), same researcher, same version, CVE MERGE. Please
use CVE-2013-0236 for this issue.

>> - A cross-site scripting vulnerability in the external library
>>> Plupload. Thanks to the Moxiecode team for working with us on
>>> this, and for releasing Plupload 1.5.5 to address this issue.
>> The diff for plupload is a mess of JavaScript/binary files so I
>> can't confirm much.
> The security fix was specific to the Flash binary. Here is the
> upstream commit:
> Exploit 
> occurs with uplupload.flash.js?id=XSS, using the attack described
> here: 

Please use CVE-2013-0237 for this issue.

> Regards, Andrew Nacin

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.