search

NixOS / security

MIT License
30 stars 12 forks source link

Roundup: [oss-security] Fwd: [scr305104] wordpress before 4.7.3 #91

Closed grahamc closed 7 years ago

grahamc commented 7 years ago

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000004149

Should the search term be changed from wordpress? Suggest a new package search by commenting:

-suggested:wordpress +suggested:correctPackageName thread:0000000000004149

Known CVEs: CVE-2017-6814, CVE-2017-6815, CVE-2017-6816, CVE-2017-6817, CVE-2017-6818, CVE-2017-6819

Skip to End

Sun, 12 Mar 2017 20:34:23 +0000 Craig Small , CALy8Cw58FYZobXa7G5MGoPbfJ4T9w1XHu3BYL1sGeBM-voBSkA@mail.gmail.com
FYI, The 6 wordpress CVE ids from Mitre.

 - Craig

---------- Forwarded message ---------
From: <cve-request@mitre.org>
Date: Sun, Mar 12, 2017 at 11:32 AM
Subject: Re: [scr305104] wordpress before 4.7.3
To: <csmall@debian.org>
Cc: <cve-request@mitre.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> In WordPress before 4.7.3,
> there is
> authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is
demonstrated by both
> (1) mishandling of
> the playlist shortcode in the wp_playlist_shortcode function in
wp-includes/media.php
> and (2) mishandling of meta information in the renderTracks function in
> wp-includes/js/mediaelement/wp-playlist.js.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 3.6.0-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Attack Vectors]
> Two Cross-Site Scripting vulnerabilities exists in the playlist
> functionality of WordPress. These issues can be exploited by
> convincing an Editor or Administrator into uploading a malicious MP3
> file. Once uploaded the issues can be triggered by a Contributor or
> higher using the playlist shortcode.
>
> ------------------------------------------
>
> [Reference]
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
> https://codex.wordpress.org/Version_4.7.3
>
https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
> http://openwall.com/lists/oss-security/2017/03/06/8
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Chris Andre Dale, Yorick Koster, and Simon P. Briggs

Use CVE-2017-6814.

> [Suggested description]
> In WordPress before 4.7.3 (wp-includes/pluggable.php),
> control characters can trick redirect URL validation.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> Trick the URL validation
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 2.8.1-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Daniel Chatfield

Use CVE-2017-6815.

> [Suggested description]
> In WordPress before 4.7.3 (wp-admin/plugins.php),
> unintended files can be deleted by administrators using the plugin
deletion functionality.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Insecure Permissions
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.7.0-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> wp-admin/plugins.php
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> TrigInc and xuliang

Use CVE-2017-6816.

> [Suggested description]
> In WordPress before 4.7.3 (wp-includes/embed.php),
> there is
> authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.0-4.7.2
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Marc Montpas

Use CVE-2017-6817.

> [Suggested description]
> In WordPress before 4.7.3 (wp-admin/js/tags-box.js),
> there is
> cross-site scripting (XSS) via taxonomy term names.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.7-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> Taxonomy names
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Delta

Use CVE-2017-6818.

> [Suggested description]
> In WordPress before 4.7.3,
> there is
> cross-site request forgery (CSRF) in Press This
> (wp-admin/includes/class-wp-press-this.php), leading to excessive use of
server resources.
> The CSRF can trigger an outbound HTTP request for a large file that is
then parsed by Press This.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Request Forgery (CSRF)
>
> ------------------------------------------
>
> [Affected Product Code Base]
> wordpress - 4.2-4.7.2
>
> ------------------------------------------
>
> [Affected Component]
> Press This module
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Craft a html file on a remote server and get admin to visit it using
Press This module
>
> ------------------------------------------
>
> [Reference]
> https://codex.wordpress.org/Version_4.7.3
>
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
>
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
>
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
> http://openwall.com/lists/oss-security/2017/03/06/7
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Sipke Mellema

Use CVE-2017-6819.

- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYxJWeAAoJEHb/MwWLVhi2siMQAKXaKOf5BZpRfjzAX6cg9hr6
NeDP3Pw/LyrWlQNQIX0jg7v0L8WNg1AJ1qU3rnW3y+9Nn9HL2QB6FX5j+TCkmWQQ
9Jufvcl742xqQEGqkROyYjE04uh9WZjp2VOKDJe64edyiJ5hdIO3WH8OrZ5L08WF
jd6YD6jEpuroqyUoY+36un/M8AKP/AFOHOcMknsu4v6WOPCm4D7RX2HifL2pqNar
7k29sxTt727PHlZkDfbs0sOhPy1icrhZ0NzWJ34u42099j6sGUc9Cz/P2OjySYdP
JwB9q2JwWmgbP8HxYNnnFGvdzE6hAZUOvjJiLgU07Y/6T8RrKJpozzzknAZ/fvst
ZM0oCWZxCzleIg0cpk+2FF/l6YJ4scBfITJq/wrpzPbA+UskYk7v2R41T83oli5j
PFqFAZXVg8pOL7VUpwPx6W1dR77HXJe9aOoslgM2SToXBf7amsaJCk3wn0/ysP41
eiNA6x9QHqBQmv4F27GD1F9rX0SYcsnb8L/uUVnnKzTrJiU3wvqeSLeDGhEKi+A7
kzfYX9SVwQod3wKyNg1B+WtlRZc+AV3zg5OThfUIbv+Y6jmowyGUIQXyAkuzsu1b
jmDfdY7X0dD9vaKNOy2W4kBfycRBUH7lB61EIQR3stq1S5v1+GvRLsZh1NBjXQX6
PvQbSfQLSAyPY9xY6/NF
=yD6/
-----END PGP SIGNATURE-----
-- 
Craig Small (@smallsees)   http://dropbear.xyz/     csmall at : enc.com.au
Debian GNU/Linux           http://www.debian.org/   csmall at : debian.org
GPG fingerprint:        5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5

Skip to End

calvertvl commented 7 years ago

unstable: we are not vulnerable (https://github.com/NixOS/nixpkgs/commit/308c09d41f309e5055e45c66c07454581945d458) 17.03: we are not vulnerable (https://github.com/NixOS/nixpkgs/commit/308c09d41f309e5055e45c66c07454581945d458) - same commit as unstable, branch point was after this commit 16.09: we are not vulnerable (https://github.com/NixOS/nixpkgs/commit/674d8cf06f297e4337ca2a248b46e10fb85b766d)