'[oss-security] Re: Path traversal vulnerability in WordPress Core Ajax handlers'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: Path traversal vulnerability in WordPress Core Ajax handlers
From:       cve-assign () mitre ! org
Date:       2016-08-22 6:51:07
Message-ID: 20160822065107.12D721BE0E5 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
> https://core.trac.wordpress.org/ticket/37490

> A path traversal vulnerability was found in the Core Ajax handlers of
> the WordPress Admin API. This issue can (potentially) be used by an
> authenticated user (Subscriber) to create a denial of service condition
> of an affected WordPress site.
> 
> OVE-20160712-0036

>> allows for a denial of service condition as the logged in attacker can
>> use this flaw to read up to 8 KB of data from /dev/random. Doing this
>> repeatedly will deplete the entropy pool, which causes /dev/random to
>> block; blocking the PHP scripts. Using a very simple script, it is
>> possible for an authenticated user (Subscriber) to bring down a
>> WordPress site. It is also possible to trigger this issue via
>> Cross-Site Request Forgery as the nonce check is done too late in this
>> case.

>> wp-admin/admin-ajax.php

>> plugin=../../../../../../../../../../dev/random&action=update-plugin

>> WordPress version 4.6 mitigates this vulnerability by moving the CSRF
>> check to the top of the affected method(s).

Use CVE-2016-6896 for the directory traversal vulnerability, and
CVE-2016-6897 for the CSRF. (These two vulnerabilities have different
affected versions.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXuqCFAAoJEHb/MwWLVhi2OjkP/0xA4Oj1fAED71fR5c2zMtg4
fFuRRrbSltEIpWbLFi4vg7VAkOhYOqH6LbDPtehXDrZxJ5AFX7ifYyjprvxSLYvn
STcG7ve521b+tPy+0GzdlrHpGRbk81Ekh57Gny9rXEym0msdWJD/zaDV0poJbdEV
E76DEZuZ4eq1XoBQ6FsTvRFinsA7tCB5LjmCa+lZuG9xf4AYFDlMAUJu7I+/uxGO
Ep/CUqYwASjZ50IYBwhbk138PbjEw1iZmcYytlkifACRk9GNmkb2ctt4QKoCIWml
HPY6BnB26CKDGk490MPjLg6+jkAA1v+bTBru5dSMoLw3icAWfHefW/P5yH0S/HoX
eU/RIaaxovd4fkKfzz8lBhWkARGPZrPUGyOIpvaLLgMPLF10xcBraJ32ygrPNndy
ph418Yr4ZCraR9Tdg/EBZlS6Dlhztr16I+Z1FzXIyVemkxafYNAqhqJXUYgx9TFw
IgS7Isk4+2XJQU0u76lIEFGBHsHV2j9tif6lu1ZsrZDKG2OhI09+KHW1wp8gTQKG
QxlbBcl/sD4NBLm58vwdvLm9lMCxc6vv9jdK5hhfz4ATWHSsjTi1O6DC787qCfqW
pnOjNghR3stX7DxzDQmMVFB30OaGMHQ5PGVk5CgK4SmBJuwtxYOBFK919f4KPmz6
8ZrtIoD+v972q+r5kaMU
=WwXr
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic