-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image object injection vulnerability via 'buttonImageURL' parameter #1
Comments
From an email sent by @nealpoole:
From an email sent by me:
From an email sent by Szymon Gruszecki:
|
I've also filed http://core.trac.wordpress.org/ticket/24728#ticket as a solution for those of us who are happy to just turn off / remove swfupload and not use plugins that still depend on it. We received a report of this issue today as well. |
for the time being those looking for a immediate solution just use below in .htaccess |
If you need to keep swfupload.swf accessible but want to prevent the use of the buttonImageURL parameter, something like this might work...
|
More issues, CVE's assigned: http://openwall.com/lists/oss-security/2013/07/18/10 |
@kseifriedredhat: CVE-2013-4145 / CVE-2013-4146 are incorrectly allocated.
|
@nealpoole: Yep. Here is the rest of the thread:
This issue therefore is CVE-2013-4144. 4145 and 4146 will be merged into CVE-2012-3414. |
Please take discussion to oss-security so Steve/Andrew/etc can see it. |
@alexalexandru: Are you referring to https://nealpoole.com/blog/2012/05/xss-and-csrf-via-swf-applets-swfupload-plupload/? If so, it was patched several years ago. |
@nealpoole Yes, thanks for clarifying this one. |
I've received a few reports today of an image object injection problem in swfupload affecting WordPress. I'm filing this public issue here after contacting swfupload-security@wordpress.org and being asked to do so (as this issue is already public knowledge).
There's an object injection "vulnerability" in swfupload, as shown by this demo URL:
https://wordpress.org/news/wp-includes/js/swfupload/swfupload.swf?buttonImageURL=http://1337day.com/img/logo_green.jpg
Known advisories for this issue:
http://1337day.com/exploit/20669
http://bot24.blogspot.com/2013/04/swfupload-object-injectioncsrf.html
This was tested on WordPress 3.5.2.
As discussed on e-mail, there are three basic options:
My recommendation would be to restrict buttonImageURL to the same origin as the blog site, as swfupload is already deprecated, and I'd rather it be secure but slightly broken than have a known issue that could be used for spoofing or other issues.
Thanks!
The text was updated successfully, but these errors were encountered: