WordPress 4.4.2 SSRF and open redirect vulnerability

2016.02.09
Credit: Multiple
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2016-2221 | CVE-2016-2222
CWE: CWE-601

Hi A new security and maintanance release for WordPress was announced, which addresses two security issues: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ According to the announcement: WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar. References: https://core.trac.wordpress.org/changeset/36444 trunk/src/wp-includes/pluggable.php Index: trunk/src/wp-includes/pluggable.php =================================================================== --- a/trunk/src/wp-includes/pluggable.php +++ b/trunk/src/wp-includes/pluggable.php @@ -1337,7 +1337,15 @@ return $default; - // Reject if scheme is set but host is not. This catches urls like https:host.com for which parse_url does not set the host field. - if ( isset($lp['scheme']) && !isset($lp['host']) ) + // Reject if certain components are set but host is not. This catches urls like https:host.com for which parse_url does not set the host field. + if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) { return $default; + } + + // Reject malformed components parse_url() can return on odd inputs. + foreach ( array( 'user', 'pass', 'host' ) as $component ) { + if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) { + return $default; + } + } $wpp = parse_url(home_url()); https://core.trac.wordpress.org/changeset/36435 Index: trunk/src/wp-includes/http.php =================================================================== --- a/trunk/src/wp-includes/http.php +++ b/trunk/src/wp-includes/http.php @@ -537,5 +537,5 @@ if ( $ip ) { $parts = array_map( 'intval', explode( '.', $ip ) ); - if ( 127 === $parts[0] || 10 === $parts[0] + if ( 127 === $parts[0] || 10 === $parts[0] || 0 === $parts[0] || ( 172 === $parts[0] && 16 <= $parts[1] && 31 >= $parts[1] ) || ( 192 === $parts[0] && 168 === $parts[1] ) Regards, Salvatore

References:

https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
https://core.trac.wordpress.org/changeset/36444
https://core.trac.wordpress.org/changeset/36435


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top