Bug 1007340 (CVE-2013-4338, CVE-2013-4339, CVE-2013-4340, CVE-2013-5738, CVE-2013-5739)

Summary: CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 wordpress: new security issues fixed in 3.6.1
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wordpress 3.6.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:30:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1007343, 1007344    
Bug Blocks: 1007345    

Description Ratul Gupta 2013-09-12 09:56:00 UTC 
Wordpress recently released 3.6.1 update which fixes several security issues, some of them being as critical as a Remote Code Execution. Also, some security settings modification was done to avoid execution of certain files.

Version 3.6.1 fixes three security issues:

*    Remote Code Execution: Block unsafe PHP de-serialization that could occur in limited situations and setups, which can lead to remote code execution. 

*    Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website.

*    Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post "written by" another user. 

Additional security hardening:

*    Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.
Comment 1 Ratul Gupta 2013-09-12 09:59:29 UTC 
Created wordpress tracking bugs for this issue:

Affects: fedora-all [bug 1007343]
Affects: epel-all [bug 1007344]
Comment 2 Vincent Danen 2013-09-12 16:00:42 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4338 to
the following vulnerability:

Name: CVE-2013-4338
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
Assigned: 20130612
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25325
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

wp-includes/functions.php in WordPress before 3.6.1 does not properly
determine whether data has been serialized, which allows remote
attackers to execute arbitrary code by triggering erroneous PHP
unserialize operations.


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4339 to
the following vulnerability:

Name: CVE-2013-4339
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
Assigned: 20130612
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25323
Reference: http://core.trac.wordpress.org/changeset/25324
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

WordPress before 3.6.1 does not properly validate URLs before use in
an HTTP redirect, which allows remote attackers to bypass intended
redirection restrictions via a crafted string.


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4340 to
the following vulnerability:

Name: CVE-2013-4340
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
Assigned: 20130612
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25321
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote
authenticated users to spoof the authorship of a post by leveraging
the Author role and providing a modified user_ID parameter.


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5738 to
the following vulnerability:

Name: CVE-2013-5738
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5738
Assigned: 20130911
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25322
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

The get_allowed_mime_types function in wp-includes/functions.php in
WordPress before 3.6.1 does not require the unfiltered_html capability
for uploads of .htm and .html files, which might make it easier for
remote authenticated users to conduct cross-site scripting (XSS)
attacks via a crafted file.


Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5739 to
the following vulnerability:

Name: CVE-2013-5739
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5739
Assigned: 20130911
Reference: http://codex.wordpress.org/Version_3.6.1
Reference: http://core.trac.wordpress.org/changeset/25322
Reference: http://wordpress.org/news/2013/09/wordpress-3-6-1/

The default configuration of WordPress before 3.6.1 does not prevent
uploads of .swf and .exe files, which might make it easier for remote
authenticated users to conduct cross-site scripting (XSS) attacks via
a crafted file, related to the get_allowed_mime_types function in
wp-includes/functions.php.
Comment 3 Vincent Danen 2013-09-12 16:10:21 UTC 
External References:

http://wordpress.org/news/2013/09/wordpress-3-6-1/
Comment 5 Product Security DevOps Team 2019-06-08 02:30:32 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.