oss-sec mailing list archives
Re: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws
From: Andrew Nacin <nacin () wordpress org>
Date: Thu, 18 Jul 2013 17:29:17 -0400
On Thu, Jul 18, 2013 at 5:10 PM, Christey, Steven M. <coley () mitre org> wrote:
CVE-2012-2399's only public details are that it's an unspecified vulnerability in Wordpress before 3.3.2, yet http://wordpress.org/news/2012/04/wordpress-3-3-2/ is pretty vague and mentions multiple products (although it does credit Neal Poole for at least one issue). That said, a statement by a lead developer of Wordpress is important for this clarification ;-) Andrew, can you confirm for sure that CVE-2012-2399 is *also* the same as CVE-2012-3414 for Neal Poole's movieName vector?
Negative, I was mistaken. Sorry for the confusion. CVE-2012-2399 was a separate XSS, affecting buttonText, and reported by Szymon Gruszecki. CVE-2012-3414 was Neal Poole's report, affecting movieName. So, CVE-2013-4145 is a duplicate of CVE-2012-3414, *not* of CVE-2012-2399. That said, given that CVE-2012-2399 was not publicly described at the time, I would not be surprised if one or more CVEs have been issued for the same XSS via buttonText at one point. Christey, Steven M. <coley () mitre org> wrote:
Since swfupload.swf is apparently widely used, researchers may be finding the same issue over and over again in different packages, and presenting them as if they are new. Yet there might be some attack variants buried in there, too. Because of the amount of attention by researchers who don't check whether an issue has already been disclosed, and/or the number of independent products that use this library, any "new" swfupload.swf issues should be regarded with extreme suspicion while CVE tries to iron out all the existing duplicates.
Related, for those who haven't seen, WordPress forked SWFUpload last month. Both Neal and Szymon have been helping us with the fork, as well. At this point, in terms of issues known to us, only the image injection issue is unfixed. Fork: https://github.com/wordpress/secure-swfupload Post: http://make.wordpress.org/core/2013/06/21/secure-swfupload/
Current thread:
- SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Kurt Seifried (Jul 18)
- Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Andrew Nacin (Jul 18)
- RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Christey, Steven M. (Jul 18)
- Re: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Andrew Nacin (Jul 18)
- RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Christey, Steven M. (Jul 18)
- Re: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Kurt Seifried (Jul 18)
- Re: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Reed Loden (Jul 18)
- RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Christey, Steven M. (Jul 19)
- RE: Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Christey, Steven M. (Jul 18)
- Re: SWFUpload <= (Object Injection/CSRF) Vulnerabilities Multiple flaws Andrew Nacin (Jul 18)