WordPress 3.6.1 PHP unserialization & Open Redirect & Privilege Escalation

2013.09.12
Credit: Andrew Nacin
Risk: Medium
Local: No
Remote: Yes

Three issues fixed in WordPress 3.6.1: http://codex.wordpress.org/Version_3.6.1 * Unsafe PHP unserialization. CWE-502. http://core.trac.wordpress.org/changeset/25325 . branches/3.6/wp-includes/functions.php r25323 r25325 243 243 * 244 244 * @param mixed $data Value to check to see if was serialized. 245 * @param bool $strict Optional. Whether to be strict about the end of the string. Defaults true. 245 246 * @return bool False if not serialized and true if it was. 246 247 */ 247 function is_serialized( $data ) { 248 function is_serialized( $data, $strict = true ) { 248 249 // if it isn't a string, it isn't serialized 249 250 if ( ! is_string( $data ) ) &#8230; &#8230; 257 258 if ( ':' !== $data[1] ) 258 259 return false; 259 $lastc = $data[$length-1]; 260 if ( ';' !== $lastc && '}' !== $lastc ) 261 return false; 260 if ( $strict ) { 261 $lastc = $data[ $length - 1 ]; 262 if ( ';' !== $lastc && '}' !== $lastc ) 263 return false; 264 } else { 265 // ensures ; or } exists but is not in the first X chars 266 if ( strpos( $data, ';' ) < 3 && strpos( $data, '}' ) < 4 ) 267 return false; 268 } 262 269 $token = $data[0]; 263 270 switch ( $token ) { 264 271 case 's' : 265 if ( '"' !== $data[$length-2] ) 272 if ( $strict ) { 273 if ( '"' !== $data[ $length - 2 ] ) 274 return false; 275 } elseif ( false === strpos( $data, '"' ) ) { 266 276 return false; 277 } 267 278 case 'a' : 268 279 case 'O' : &#8230; &#8230; 271 282 case 'i' : 272 283 case 'd' : 273 return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/", $data ); 284 $end = $strict ? '$' : ''; 285 return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data ); 274 286 } 275 287 return false; &#8230; &#8230; 318 330 // Double serialization is required for backward compatibility. 319 331 // See http://core.trac.wordpress.org/ticket/12930 320 if ( is_serialized( $data ) ) 332 if ( is_serialized( $data, false ) ) 321 333 return serialize( $data ); 322 334 * Open Redirect / Insufficient Input Validation. CWE-601. http://core.trac.wordpress.org/changeset/25323 and http://core.trac.wordpress.org/changeset/25324. Index: branches/3.6/wp-includes/functions.php =================================================================== --- a/branches/3.6/wp-includes/functions.php +++ b/branches/3.6/wp-includes/functions.php @@ -1284,5 +1284,5 @@ if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) ) - return wp_unslash( $ref ); + return wp_validate_redirect( $ref, false ); return false; } @@ -1299,5 +1299,5 @@ function wp_get_original_referer() { if ( !empty( $_REQUEST['_wp_original_http_referer'] ) ) - return wp_unslash( $_REQUEST['_wp_original_http_referer'] ); + return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false ); return false; } * Privilege Escalation: a user with an Author role, using a specially crafted request, was able to create a post that was marked as "written by" another user. http://core.trac.wordpress.org/changeset/25321. Index: branches/3.6/wp-admin/includes/post.php =================================================================== --- a/branches/3.6/wp-admin/includes/post.php +++ b/branches/3.6/wp-admin/includes/post.php @@ -53,6 +53,5 @@ $post_data['to_ping'] = $post_data['trackback_url']; - if ( !isset($post_data['user_ID']) ) - $post_data['user_ID'] = $GLOBALS['user_ID']; + $post_data['user_ID'] = $GLOBALS['user_ID']; if (!empty ( $post_data['post_author_override'] ) ) {

Referencje:

http://codex.wordpress.org/Version_3.6.1
http://core.trac.wordpress.org/changeset/25325
http://core.trac.wordpress.org/changeset/25321
http://core.trac.wordpress.org/changeset/25323
http://core.trac.wordpress.org/changeset/25324


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top