WP-Super-Cache 1.3 XSS and Remote Code Exec

2013-04-24 / 2013-04-25
Credit: Kurt Seifried
Risk: High
Local: No
Remote: Yes
CWE: N/A

Is there any way to get the WordPress community involved in actually handling security issues properly? E.g. requesting CVE's, or heck, I'll settle for being notified via email directly. I found out about this stuff on Reddit (linked to Tony Perez's blog posting) so I read the code and voila: =============================================================== WP-Super-Cache XSS 1.3 Fixed in 1.3.1 with code changes like: - -<form name="wp_manager" action="<?php echo $_SERVER[ "REQUEST_URI" ]; ?>" method="post"> +<form name="wp_manager" action="" method="post"> Please use CVE-2013-2008 for this issue. =============================================================== WP-Super-Cache 1.2 Remote Code Execution Fixed in 1.3: +2013-04-11 10:39 donncha + + * wp-cache.php: Remove mfunc, mclude and dynamic-cached-content + tags from comments. Props Frank Goossen + (http://blog.futtta.be/2013/04/10/wp-safer-cache-stopgap-for-wordpress-cache-plugins-vulnerability/) + and kisscsaby + (http://wordpress.org/support/topic/pwn3d?replies=6) http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html To test leave a comment like: <!?mfunc echo PHP_VERSION; ?><!?/mfunc?> To fix it they added a mfunc filter in wp-super-cache-1.3/wp-cache.php: +add_filter( 'preprocess_comment','no_mfunc_in_comments' ); +add_filter( 'comment_text','no_mfunc_in_comments' ); +add_filter( 'comment_excerpt','no_mfunc_in_comments' ); +add_filter( 'comment_text_rss','no_mfunc_in_comments' ); Please use CVE-2013-2009 for this issue.

References:

http://seclists.org/oss-sec/2013/q2/171
http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html
http://cxsecurity.com/issue/WLB-2013040173


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top