пятница, 5 сентября 2014 г.

WordPress 3.9.2- XXE through media upload (WAV ID3 tag)

Recently WordPress patched XXE vulnerability http://wordpress.org/news/2014/08/wordpress-3-9-2/ which were found during @ONsec_lab security audit of another one web-application.

Now time to describe this vulnerability in details!

The reason is GetID3 library which included into WordPress by default:
./wp-includes/ID3/getid3.lib.php:
521     public static function XML2array($XMLstring) {
522             if (function_exists('simplexml_load_string')) {
523                     if (function_exists('get_object_vars')) {
524                             $XMLobject = simplexml_load_string($XMLstring);

Requires PHP 5.5.0- (simple_xml was patched to disable external entities since ~5.5.0)

To use this vulnerability attacker must have privileges to upload Media (editor privileges for example).

PoC is available at our GitHub repo: https://github.com/ONsec-Lab/scripts/blob/master/getid3-xxe.wav

Timeline:
5/12/14 vendor notified
5/15/14 vulnerability confirmed
8/06/14 fixed at version 3.9.2
Автор: на

23 комментария:

  1. thulannguyen6 сентября 2016 г., 02:54

    Thanks for sharing, nice post!

    Chia sẻ bí quyết kinh nghiệm mua hàng với hướng dẫn mua hàng trên aliexpress hay bài viết chia sẻ kinh nghiệm mua hàng cực chất lượng, uy tín với bài cách mua hàng aliexpress nhanh nhất và an toàn nhất hay hướng dẫn các mẹ cách mua hàng kinh nghiệm mua hàng trên aliexpress có đảm bảo an toàn, chất lương hay hàng hóa trên Aliexpress có tốt không việc mua hàng khiến nhiều người lo lắng mua hàng trên aliexpress có an toàn không mua hàng trên aliexpress có đảm bảo không cũng như cách mua như thế nào, chia sẻ các bạn cách mua hàng trên aliexpress về Việt Nam uy tín, hay ra máu báo thai có đau bụng không phải xử lý nhu thế nào hay việc thai thai 39 tuần ra dịch nhầy màu trắng có sao không, cách điều trị ra sao hay giải thích hiện tượng nút nhầy cổ tử cung có màu gì hay máu báo có thai là máu gì như thế nào hay máu báo thai ra trong mấy ngày và việc bóc tách túi thai có nguy hiểm không hay bị bóc tách túi thai nên ăn gì chế độ nghỉ ngơi như thế nào cho hợp lý.

    ОтветитьУдалить
  2. Unknown8 октября 2017 г., 08:42

    Так же я слышал про шаблоны интернет магазина wordpress, с которыми легко создавать от блогов до достаточно сложных интернет-магазинов, и не только!

    ОтветитьУдалить
  3. Mckelvey Broomfield14 марта 2018 г., 06:49

    Bring in a present service bill to demonstrate your habitation. In many cases a permit won't have the most current address. Since service bills are paid every month, you should give the latest one.
    Payday Loans San-diego
    Cash Advance
    Auto Title Loans

    ОтветитьУдалить
  4. Unknown27 сентября 2018 г., 23:05

    instagram bio Instagram usernames instagram captions

    ОтветитьУдалить
  5. loanss26 ноября 2018 г., 05:13

    Этот комментарий был удален автором.

    ОтветитьУдалить
  6. loanss26 ноября 2018 г., 05:38

    Pretty nice post. I just stumbled upon your blog and wished to say that I’ve truly enjoyed surfing around your blog posts.

    Online Payday Loans
    Cash Advance Loan
    Emergency payday Loans Payday Loans
    Bad Credit

    ОтветитьУдалить
  7. Freight9 августа 2019 г., 02:24

    Thanks for the helpful article, it gives me a lot of good information
    Nếu bạn có nhu cầu sử dụng dịch vụ vận chuyển ô tô bắc nam, thuê xe tải chở hàng, gửi xe máy bằng tàu hỏa, chuyển hàng bằng container,... hay liên hệ với proship để được tư vẫn và sử dụng dịch vụ của chúng tôi.

    ОтветитьУдалить
  8. loanss9 сентября 2019 г., 05:01

    Thanks for sharing this nice and informative article. I am really impressed! All the information is dealt with clarity.

    Want to recover from an unexpected financial emergency? Get Emergency Payday Loans Online Now.

    Online Payday Loans
    online Loans
    Cash Advance Loans
    Payday Loans
    Emergency payday Loans

    ОтветитьУдалить
  9. Treasurebox28 сентября 2019 г., 01:21

    That's the quite different which you provide now. looking for the best online store in Newzealand. We will provide you treasurebox store items which you will be provide easily on a single click.

    ОтветитьУдалить
  10. Ali Ahsan 20 октября 2019 г., 10:20

    Forever sells world-class good quality products with the help of network marketing (Direct Selling). It has various range of products like Drinks, Bee Products, Nutritional Supplements, Weight Management, Personal Care, Skin Care etc. You can see here the full catalogue of Forever Living Products. We are providing the updated Forever Living products price list

    ОтветитьУдалить
  11. Ali Ahsan 6 ноября 2019 г., 03:22


    Having a good username on TikTok is so important. Because if it will attractive and catchy then it helps to gain follower. Because when someone like your video then he tells to his friends and others about you and suggest them to follow you and if your username is simple and awesome then It's a big advantage for you. So you can find many TikTok Usernamehere.

    ОтветитьУдалить
  12. Ali Ahsan 11 ноября 2019 г., 19:31

    Roblox is a big multiplayer online game creation system. Where an user can create his own game and play it. You can create many types of games in Roblox. Roblox has 100 million monthly active users in all over the world. If you also a user of Roblox then you will definitely like these Roblox memes.

    ОтветитьУдалить
  13. Ali Ahsan 17 ноября 2019 г., 10:27

    If you are searching for Minecraft usernames then your search ends here. If you want a catchy, attractive and good minecraft username then you can find many Minecraft Username for boys here.

    ОтветитьУдалить
  14. كيمو نور0020120172628627 января 2020 г., 14:00


    شركة تنظيف كنب بجازان
    شركة تنظيف مجالس بجازان
    شركة تنظيف منازل بجازان
    شركة تنظيف فلل بجازان
    شركة تنظيف شقق بجازان
    شركة تنظيف خزانات بجازان

    ОтветитьУдалить
  15. elsa1 марта 2020 г., 09:46

    High quality iPhone Cases & Covers by independent artists and designers from around the world.check it ou now in iPhone xs max cases

    ОтветитьУдалить
  16. salma22 марта 2020 г., 16:17



    شركة مكافحة حشرات بالاحساء شركة مكافحة حشرات بالاحساء
    شركة مكافحة النمل الابيض بالرياض شركة مكافحة النمل الابيض بالرياض

    ОтветитьУдалить
  17. ALBUM LYRICS AZ23 апреля 2020 г., 06:55

    So very nice article
    https://www.lyricsmu.com

    ОтветитьУдалить
  18. Rahul Bansal7 мая 2020 г., 09:26

    Lyrics Djsongis the best Hindi Punjabi song lyrics website

    ОтветитьУдалить
  19. updatelyric5 июня 2020 г., 08:20

    Like!! Really appreciate you sharing this blog post.Really thank you! Keep writing.

    ОтветитьУдалить
  20. We Buy Houses USA22 июня 2020 г., 18:30

    No Credit Check Online Payday Loans Fast Nationwide USA. Get Qualified for Payday Loans Near Me Today. Fair Cash Offers. Any Location: Personal Loans, Online Title Loans Near Me, Payday Loans, Home Loans, Mortgage Loans, Hard Money Loan, and everything else! Fast Loans Nationwide USA.

    ОтветитьУдалить
  21. ESA Letter30 июня 2020 г., 20:13

    Need an Emotional Support Animal Letter Fast? We help people with anxiety, depression, or chronic stress connect with a mental health professional that will provide an ESA letter quickly. An emotional support animal letter can help you bring your pet into the cabin of an airplane and/or into apartment complexes without paying any fees.

    ОтветитьУдалить
  22. Mobile Notary DC Maryland Virginia1 июля 2020 г., 20:04

    Этот комментарий был удален автором.

    ОтветитьУдалить
  23. Mobile Notary DC Maryland Virginia1 июля 2020 г., 20:06

    Looking For a Notary Services Near Me DC, Maryland or Virginia? Need Notary Near Me DC or Maryland? 24 Hour Mobile Notary DC MD & VA; DMV Notary Mobile. Traveling Notaries that Comes to You. Notarizing Power of Attorney, Wills, Deeds, Escrow Documents, Financial Documents, Contracts, Loan Signings, Affirmations, Oaths, Apostille Services and Authentications

    ОтветитьУдалить

Подписаться на: Комментарии к сообщению (Atom)