Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5197EAAD.40409@redhat.com>
Date: Sat, 18 May 2013 14:55:09 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, plugins@...dpress.org
Subject: Re: CVE request: WordPress plugin wp-cleanfix CSRF

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/18/2013 03:50 AM, Henri Salo wrote:
> On Sat, May 18, 2013 at 12:54:23AM -0600, Kurt Seifried wrote:
>> Sorry I'm not clear, this appears to be two vulns, a CSRF, and a 
>> remote code exec, the remote code exec can be triggered via the
>> CSRF (so remote anon attacker can pull this off with some social 
>> engineering/etc.), but can also be done by users with access?
>> Thanks.
> 
> File wpCleanFixAjax.php contains:
> 
> 30         $command = strip_tags( $_POST['command'] ); 31
> eval ( $command );
> 
> and there is:
> 
> 12 if ( is_admin() && _wpdk_is_ajax() ) {
> 
> So it only work when logged in administrator. This is not a
> security vulnerability as is, because WordPress administrator can
> upload/edit PHP as she or he likes.
> 
> There is a CSRF vulnerability, which can be used to execute
> arbitrary PHP.
> 
> POST /wordpress/wordpress-351/wp-admin/admin-ajax.php 
> action=wpCleanFixAjax&command=echo phpversion();
> 
> So in short: two vulnerabilities, but eval can't be used without
> CSRF as far as I can tell.
> 
> --- Henri Salo


Ok this is a slightly messy one. Normally yes, WP admin can modify the
site and thus execute arbitrary PHP, so a remote flaw that allows php
command execution only for admin would be a security flaw (e.g. worth
of hardening) but not typically a security vulnerability (e.g. worthy
of a CVE and full security treatment).

However in this case it is exploitable, the CSRF provides a vector for
exploitation. So it's gets a separate CVE.

So please use CVE-2013-2108 for the WordPress plugin wp-cleanfix CSRF

And please use CVE-2013-2109 for the WordPress plugin wp-cleanfix Code
Execution

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIbBAEBAgAGBQJRl+qtAAoJEBYNRVNeJnmT8aEP93mY/3AQjDkAdaflQVO1jkAH
YRl8t9HJgwqvSYHhzb7cRNXVUBiIjXp/p2CeCFr6YZVwMWwNj2I2J5nvWSl4SZ0a
Q7XsEFzYk5IzM0H+tkG6o9k4+2kHbSbSLgIAY66NmmqRH2yrFI0yGbZmh6rnOQew
YShWETw+cBBkRE6eaFGGY3HwrgRnrxSLhq4ZbeXJw5JTQSmBJuvcFcRwMDtik1xb
WdlDPRPZ2QXstHYUnHhr1ar8v1H8T0xegbcLqa0mYO6x0hJTlEjizon6OxSOYCf9
nxQxIGceMbky30YmuN/4+D77gKLQONPdrK3KhSmlI7BPpxG4uv3IQbNwtjTooj3f
bG4ogr2E7tPSVIzjFv/oHGyattFUkkOK7pQxthrWxXaQOsy0ULjHuPXKOwxByT9n
t6QaF+TXYZgg3esoKlWBI40sHDJEVpskMxnlq+2RX4KIk6rmINMqk1Dk/5AqwkhL
CqeN2SbBVUZ/iII2DbDV7sPK6YYMGQJH1/mSaWzZiFaGDnoZltnofvkJgQe9/x1E
vYkJlyl0gi1q49Olz9MprIv2t4vxg1mS+4bnyPnRJ4xrw8OBheevmT4tTCsIDXF2
oFbtEnwJdekBf6d1tjOUbEnj8aJlSYQ2UdCwRwg4PjgnGAfqvolk7joGC0rawHna
H59nYKmVh8R/YiPKQ5o=
=jXn+
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.