Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <517828C2.4060106@redhat.com>
Date: Wed, 24 Apr 2013 12:47:30 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: security@...dpress.org, donncha@...oimh.ie
Subject: Re: WP-Super-Cache XSS and Remote Code Exec

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/24/2013 12:30 PM, Kurt Seifried wrote:
> Is there any way to get the WordPress community involved in
> actually handling security issues properly? E.g. requesting CVE's,
> or heck, I'll settle for being notified via email directly. I found
> out about this stuff on Reddit (linked to Tony Perez's blog
> posting) so I read the code and voila:
> 
> ===============================================================
> 
> WP-Super-Cache XSS 1.3 Fixed in 1.3.1 with code changes like: 
> -<form name="wp_manager" action="<?php echo $_SERVER[ "REQUEST_URI"
> ]; ?>" method="post"> +<form name="wp_manager" action=""
> method="post">
> 
> Please use CVE-2013-2008 for this issue.
> 
> ===============================================================
> 
> WP-Super-Cache 1.2 Remote Code Execution Fixed in 1.3: +2013-04-11
> 10:39  donncha + +       * wp-cache.php: Remove mfunc, mclude and
> dynamic-cached-content +         tags from comments. Props Frank
> Goossen + 
> (http://blog.futtta.be/2013/04/10/wp-safer-cache-stopgap-for-wordpress-cache-plugins-vulnerability/)
>
> 
+         and kisscsaby
> +         (http://wordpress.org/support/topic/pwn3d?replies=6)
> 
> http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
>
>  To test leave a comment like: <!?mfunc echo PHP_VERSION;
> ?><!?/mfunc?>
> 
> To fix it they added a mfunc filter in
> wp-super-cache-1.3/wp-cache.php:
> 
> +add_filter( 'preprocess_comment','no_mfunc_in_comments' ); 
> +add_filter( 'comment_text','no_mfunc_in_comments' ); +add_filter(
> 'comment_excerpt','no_mfunc_in_comments' ); +add_filter(
> 'comment_text_rss','no_mfunc_in_comments' );
> 
> Please use CVE-2013-2009 for this issue.

Forgot to include link to source code:
http://wordpress.org/extend/plugins/wp-super-cache/


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJReCjCAAoJEBYNRVNeJnmT/FkP/0T/8f6I+LZyvT1hRLGK2YrW
If+fHmm8th+K+Bz2sP1FHovABKcfJEupDncEqlj8wobK3Up0HHfpykYYLhlvp7S2
ldkAiC/mHd2O/JwB4ZZkmjccHS0kqmYJ0MOokO+iphRD1URUKxQgQT+G+w6dGOeO
6v48WDwZmVSB82Ttp0waJp0XtJ1rQGoKGVgCE0ytdrBG1MIjDI5g1U2VquaApL8+
75rUECFtdRCxIpZ/uZ+l/uW7C/jWOzSnKFtWG/kvXypgVtcTH7EFIClvbf+sJkYh
0NFzpWLl+B66XG7YBKtvWvQzF2h0tuKCsio8kOYZhP3nMzqhIoSnaDaor6gEMK4h
L45rTI0ql/Kgoh2FZiAsG89z961AhdHdL479LC/jING3xDQwWQF6I4lHfzWxwPdD
ZajFH+1bS804UNdYLaNzxMMUF3+vaVLycfdQWF7WFjCVzh2eikBgq0nAacLBWLGn
JC5WUgf6BY7ZfEMmyhGIGiwOCIPjQZ6SRmybZ10c+x5WxRkrGFkOIYe2noUvJwh7
S2GogHA4oRkWF3ZVyXWrcqPGSgpZRGVsK8kUEv7VOtFP8wB/oRPJwUDCfiNu9+C3
b3lNPt/a0Z64lmKBpvQbMFyW3bmCu+T6JOVFB9+wh6ao9StkwKenRZSsA22J/U7X
/nfV/pyjwQubk3/nifp2
=/PBV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.