lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 30 Nov 2013 21:44:01 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerabilities hiddenly fixed in WordPress 3.6
	and 3.6.1

Hello list!

In July I wrote about one vulnerability in WordPress, which were hiddenly 
fixed in version 3.5.2 (http://securityvulns.ru/docs29555.html). Here are 
new ones.

These are hiddenly fixed vulnerabilities in such versions of WordPress as 
3.6 and 3.6.1. Developers of WP intentionally haven't wrote about them to 
decrease official number of fixed holes. Which is typical for them - since 
2007 they often hide fixed vulnerabilities.

As I wrote in September (http://websecurity.com.ua/6795/), there are 9 FPD 
vulnerabilities, which were hiddenly fixed in WP 3.6. They were not 
mentioned in announcement, only mentioned in Codex (as "bugs"). Even there 
were cases, when WP developers wrote about fixed FPD in official 
announcements.

Full path disclosure (WASC-13):

In Media Library if an attachment parent does not exist.
In function parent_dropdown().
In function wp_new_comment().
In function mb_internal_encoding().
At processing of image metadata.
In function get_post_type_archive_feed_link().
In function WP_Image_Editor::multi_resize().
In function wp_generate_attachment_metadata().
At deleting or restoring an item that no longer exists.

Vulnerable are WordPress 3.5.2 and previous versions.

As I wrote in November (http://websecurity.com.ua/6904/), there are 3 FPD 
vulnerabilities, which were hiddenly fixed in WP 3.6.1. They were not 
mentioned in announcement or Codex. Even there were cases, when WP 
developers wrote about fixed FPD in official announcements.

Full path disclosure (WASC-13):

In function get_allowed_mime_types().
In function set_url_scheme().
In function comment_form().

Vulnerable are WordPress 3.6 and previous versions.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ