[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: Path traversal vulnerability in WordPress Core Ajax handlers
From: cve-assign () mitre ! org
Date: 2016-08-22 6:51:07
Message-ID: 20160822065107.12D721BE0E5 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
> https://core.trac.wordpress.org/ticket/37490
> A path traversal vulnerability was found in the Core Ajax handlers of
> the WordPress Admin API. This issue can (potentially) be used by an
> authenticated user (Subscriber) to create a denial of service condition
> of an affected WordPress site.
>
> OVE-20160712-0036
>> allows for a denial of service condition as the logged in attacker can
>> use this flaw to read up to 8 KB of data from /dev/random. Doing this
>> repeatedly will deplete the entropy pool, which causes /dev/random to
>> block; blocking the PHP scripts. Using a very simple script, it is
>> possible for an authenticated user (Subscriber) to bring down a
>> WordPress site. It is also possible to trigger this issue via
>> Cross-Site Request Forgery as the nonce check is done too late in this
>> case.
>> wp-admin/admin-ajax.php
>> plugin=../../../../../../../../../../dev/random&action=update-plugin
>> WordPress version 4.6 mitigates this vulnerability by moving the CSRF
>> check to the top of the affected method(s).
Use CVE-2016-6896 for the directory traversal vulnerability, and
CVE-2016-6897 for the CSRF. (These two vulnerabilities have different
affected versions.)
- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXuqCFAAoJEHb/MwWLVhi2OjkP/0xA4Oj1fAED71fR5c2zMtg4
fFuRRrbSltEIpWbLFi4vg7VAkOhYOqH6LbDPtehXDrZxJ5AFX7ifYyjprvxSLYvn
STcG7ve521b+tPy+0GzdlrHpGRbk81Ekh57Gny9rXEym0msdWJD/zaDV0poJbdEV
E76DEZuZ4eq1XoBQ6FsTvRFinsA7tCB5LjmCa+lZuG9xf4AYFDlMAUJu7I+/uxGO
Ep/CUqYwASjZ50IYBwhbk138PbjEw1iZmcYytlkifACRk9GNmkb2ctt4QKoCIWml
HPY6BnB26CKDGk490MPjLg6+jkAA1v+bTBru5dSMoLw3icAWfHefW/P5yH0S/HoX
eU/RIaaxovd4fkKfzz8lBhWkARGPZrPUGyOIpvaLLgMPLF10xcBraJ32ygrPNndy
ph418Yr4ZCraR9Tdg/EBZlS6Dlhztr16I+Z1FzXIyVemkxafYNAqhqJXUYgx9TFw
IgS7Isk4+2XJQU0u76lIEFGBHsHV2j9tif6lu1ZsrZDKG2OhI09+KHW1wp8gTQKG
QxlbBcl/sD4NBLm58vwdvLm9lMCxc6vv9jdK5hhfz4ATWHSsjTi1O6DC787qCfqW
pnOjNghR3stX7DxzDQmMVFB30OaGMHQ5PGVk5CgK4SmBJuwtxYOBFK919f4KPmz6
8ZrtIoD+v972q+r5kaMU
=WwXr
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic