Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160822065107.12D721BE0E5@smtpvbsrv1.mitre.org>
Date: Mon, 22 Aug 2016 02:51:07 -0400 (EDT)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Path traversal vulnerability in WordPress Core Ajax handlers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
> https://core.trac.wordpress.org/ticket/37490

> A path traversal vulnerability was found in the Core Ajax handlers of
> the WordPress Admin API. This issue can (potentially) be used by an
> authenticated user (Subscriber) to create a denial of service condition
> of an affected WordPress site.
> 
> OVE-20160712-0036

>> allows for a denial of service condition as the logged in attacker can
>> use this flaw to read up to 8 KB of data from /dev/random. Doing this
>> repeatedly will deplete the entropy pool, which causes /dev/random to
>> block; blocking the PHP scripts. Using a very simple script, it is
>> possible for an authenticated user (Subscriber) to bring down a
>> WordPress site. It is also possible to trigger this issue via
>> Cross-Site Request Forgery as the nonce check is done too late in this
>> case.

>> wp-admin/admin-ajax.php

>> plugin=../../../../../../../../../../dev/random&action=update-plugin

>> WordPress version 4.6 mitigates this vulnerability by moving the CSRF
>> check to the top of the affected method(s).

Use CVE-2016-6896 for the directory traversal vulnerability, and
CVE-2016-6897 for the CSRF. (These two vulnerabilities have different
affected versions.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXuqCFAAoJEHb/MwWLVhi2OjkP/0xA4Oj1fAED71fR5c2zMtg4
fFuRRrbSltEIpWbLFi4vg7VAkOhYOqH6LbDPtehXDrZxJ5AFX7ifYyjprvxSLYvn
STcG7ve521b+tPy+0GzdlrHpGRbk81Ekh57Gny9rXEym0msdWJD/zaDV0poJbdEV
E76DEZuZ4eq1XoBQ6FsTvRFinsA7tCB5LjmCa+lZuG9xf4AYFDlMAUJu7I+/uxGO
Ep/CUqYwASjZ50IYBwhbk138PbjEw1iZmcYytlkifACRk9GNmkb2ctt4QKoCIWml
HPY6BnB26CKDGk490MPjLg6+jkAA1v+bTBru5dSMoLw3icAWfHefW/P5yH0S/HoX
eU/RIaaxovd4fkKfzz8lBhWkARGPZrPUGyOIpvaLLgMPLF10xcBraJ32ygrPNndy
ph418Yr4ZCraR9Tdg/EBZlS6Dlhztr16I+Z1FzXIyVemkxafYNAqhqJXUYgx9TFw
IgS7Isk4+2XJQU0u76lIEFGBHsHV2j9tif6lu1ZsrZDKG2OhI09+KHW1wp8gTQKG
QxlbBcl/sD4NBLm58vwdvLm9lMCxc6vv9jdK5hhfz4ATWHSsjTi1O6DC787qCfqW
pnOjNghR3stX7DxzDQmMVFB30OaGMHQ5PGVk5CgK4SmBJuwtxYOBFK919f4KPmz6
8ZrtIoD+v972q+r5kaMU
=WwXr
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.