WordPress 3.6.1 PHP unserialization & Open Redirect & Privilege Escalation

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1044445 漏洞类型
发布时间 2013-09-12 更新时间 2013-09-12
CVE编号 CVE-2013-4338
CVE-2013-4339
CVE-2013-4340
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2013090093
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Three issues fixed in WordPress 3.6.1:
http://codex.wordpress.org/Version_3.6.1

 * Unsafe PHP unserialization. CWE-502.
http://core.trac.wordpress.org/changeset/25325
.
branches/3.6/wp-includes/functions.php
r25323 	r25325 	 
243	243	 * 
244	244	 * @param mixed $data Value to check to see if was serialized. 
 	245	 * @param bool $strict Optional. Whether to be strict about the end of the string. Defaults true. 
245	246	 * @return bool False if not serialized and true if it was. 
246	247	 */ 
247	 	function is_serialized( $data ) { 
 	248	function is_serialized( $data, $strict = true ) { 
248	249	    // if it isn't a string, it isn't serialized 
249	250	    if ( ! is_string( $data ) ) 
… 	… 	 
257	258	    if ( ':' !== $data[1] ) 
258	259	        return false; 
259	 	    $lastc = $data[$length-1]; 
260	 	    if ( ';' !== $lastc && '}' !== $lastc ) 
261	 	        return false; 
 	260	    if ( $strict ) { 
 	261	        $lastc = $data[ $length - 1 ]; 
 	262	        if ( ';' !== $lastc && '}' !== $lastc ) 
 	263	            return false; 
 	264	    } else { 
 	265	        // ensures ; or } exists but is not in the first X chars 
 	266	        if ( strpos( $data, ';' ) < 3 && strpos( $data, '}' ) < 4 ) 
 	267	            return false; 
 	268	    } 
262	269	    $token = $data[0]; 
263	270	    switch ( $token ) { 
264	271	        case 's' : 
265	 	            if ( '"' !== $data[$length-2] ) 
 	272	            if ( $strict ) { 
 	273	                if ( '"' !== $data[ $length - 2 ] ) 
 	274	                    return false; 
 	275	            } elseif ( false === strpos( $data, '"' ) ) { 
266	276	                return false; 
 	277	            } 
267	278	        case 'a' : 
268	279	        case 'O' : 
&#8230; 	&#8230; 	 
271	282	        case 'i' : 
272	283	        case 'd' : 
273	 	            return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/", $data ); 
 	284	            $end = $strict ? '$' : ''; 
 	285	            return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data ); 
274	286	    } 
275	287	    return false; 
&#8230; 	&#8230; 	 
318	330	    // Double serialization is required for backward compatibility. 
319	331	    // See http://core.trac.wordpress.org/ticket/12930 
320	 	    if ( is_serialized( $data ) ) 
 	332	    if ( is_serialized( $data, false ) ) 
321	333	        return serialize( $data ); 
322	334	 

 * Open Redirect / Insufficient Input Validation. CWE-601.
http://core.trac.wordpress.org/changeset/25323 and
http://core.trac.wordpress.org/changeset/25324.

Index: branches/3.6/wp-includes/functions.php
===================================================================
--- a/branches/3.6/wp-includes/functions.php
+++ b/branches/3.6/wp-includes/functions.php
@@ -1284,5 +1284,5 @@
 
     if ( $ref && $ref !== wp_unslash( $_SERVER['REQUEST_URI'] ) )
-        return wp_unslash( $ref );
+        return wp_validate_redirect( $ref, false );
     return false;
 }
@@ -1299,5 +1299,5 @@
 function wp_get_original_referer() {
     if ( !empty( $_REQUEST['_wp_original_http_referer'] ) )
-        return wp_unslash( $_REQUEST['_wp_original_http_referer'] );
+        return wp_validate_redirect( wp_unslash( $_REQUEST['_wp_original_http_referer'] ), false );
     return false;
 }

 * Privilege Escalation: a user with an Author role, using a specially
crafted request, was able to create a post that was marked as "written by"
another user. http://core.trac.wordpress.org/changeset/25321.

Index: branches/3.6/wp-admin/includes/post.php
===================================================================
--- a/branches/3.6/wp-admin/includes/post.php
+++ b/branches/3.6/wp-admin/includes/post.php
@@ -53,6 +53,5 @@
         $post_data['to_ping'] = $post_data['trackback_url'];
 
-    if ( !isset($post_data['user_ID']) )
-        $post_data['user_ID'] = $GLOBALS['user_ID'];
+    $post_data['user_ID'] = $GLOBALS['user_ID'];
 
     if (!empty ( $post_data['post_author_override'] ) ) {