oss-sec mailing list archives

Re: WP-Super-Cache XSS and Remote Code Exec

From: Henri Salo <henri () nerv fi>
Date: Wed, 24 Apr 2013 22:53:35 +0300

On Wed, Apr 24, 2013 at 12:30:57PM -0600, Kurt Seifried wrote:

http://blog.sucuri.net/2013/04/update-wp-super-cache-and-w3tc-immediately-remote-code-execution-vulnerability-disclosed.html

To test leave a comment like: <!?mfunc echo PHP_VERSION; ?><!?/mfunc?>

To fix it they added a mfunc filter in wp-super-cache-1.3/wp-cache.php:

+add_filter( 'preprocess_comment','no_mfunc_in_comments' );
+add_filter( 'comment_text','no_mfunc_in_comments' );
+add_filter( 'comment_excerpt','no_mfunc_in_comments' );
+add_filter( 'comment_text_rss','no_mfunc_in_comments' );

Please use CVE-2013-2009 for this issue.


I was going to request CVEs for these today. No idea why WordPress guys aren't
doing this, but they probably think it will take too much time and in some days
it might. There is a lot of plugins and also lots of vulnerabilities in them.

Should CVE-2013-2009 be used also for w3-total-cache issue?

---
Henri Salo

Attachment: signature.asc
Description: Digital signature

Current thread:

WP-Super-Cache XSS and Remote Code Exec Kurt Seifried (Apr 24)
- Re: WP-Super-Cache XSS and Remote Code Exec Kurt Seifried (Apr 24)
- Re: WP-Super-Cache XSS and Remote Code Exec Henri Salo (Apr 24)
  - Re: WP-Super-Cache XSS and Remote Code Exec Henri Salo (Apr 24)
- Re: WP-Super-Cache XSS and Remote Code Exec Hanno Böck (Apr 24)
  - Re: WP-Super-Cache XSS and Remote Code Exec Kurt Seifried (Apr 24)