Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30052
HistoryDec 09, 2013 - 12:00 a.m.

Vulnerabilities hiddenly fixed in WordPress 3.6 and 3.6.1

2013-12-0900:00:00
vulners.com
14

Hello list!

In July I wrote about one vulnerability in WordPress, which were hiddenly fixed in version 3.5.2 (http://securityvulns.ru/docs29555.html). Here are new ones.

These are hiddenly fixed vulnerabilities in such versions of WordPress as 3.6 and 3.6.1. Developers of WP intentionally haven't wrote about them to decrease official number of fixed holes. Which is typical for them - since 2007 they often hide fixed vulnerabilities.

As I wrote in September (http://websecurity.com.ua/6795/), there are 9 FPD vulnerabilities, which were hiddenly fixed in WP 3.6. They were not mentioned in announcement, only mentioned in Codex (as "bugs"). Even there were cases, when WP developers wrote about fixed FPD in official announcements.

Full path disclosure (WASC-13):

In Media Library if an attachment parent does not exist.
In function parent_dropdown().
In function wp_new_comment().
In function mb_internal_encoding().
At processing of image metadata.
In function get_post_type_archive_feed_link().
In function WP_Image_Editor::multi_resize().
In function wp_generate_attachment_metadata().
At deleting or restoring an item that no longer exists.

Vulnerable are WordPress 3.5.2 and previous versions.

As I wrote in November (http://websecurity.com.ua/6904/), there are 3 FPD vulnerabilities, which were hiddenly fixed in WP 3.6.1. They were not mentioned in announcement or Codex. Even there were cases, when WP developers wrote about fixed FPD in official announcements.

Full path disclosure (WASC-13):

In function get_allowed_mime_types().
In function set_url_scheme().
In function comment_form().

Vulnerable are WordPress 3.6 and previous versions.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua