Before WordPress 4.9.5 Multiple vulnerabilities

Authors:Multiple              Risk:High
 
CVE:Multiple                 0day:Multiple  

0day-id:0DAY-10100            Date:2018-04-15

CVE-2018-10100

Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS.

Timestamp:04/03/2018 02:31:16 PM (11 days ago)Author:ocean90Message:

Login: Use wp_safe_redirect() when redirecting the login page if forced to use HTTPS.

 

trunk/src/wp-login.php

if ( force_ssl_admin() && ! is_ssl() ) {
	    if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) {
	 	        wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
 	        wp_safe_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) );
	        exit();
	    } else {
	 	        wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
	        wp_safe_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] );
	        exit();
	    }

CVE-2018-10101

Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server.

Timestamp:04/03/2018 02:59:44 PM (11 days ago)Author:ocean90Message:

HTTP: Don’t treat localhost as same host by default.

trunk/src/wp-includes/http.php (1 diff)

trunk/src/wp-includes/http.php

if ( isset( $parsed_home['host'] ) ) {
	 	        $same_host = ( strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] ) || 'localhost' === strtolower( $parsed_url['host'] ) );
 		        $same_host = strtolower( $parsed_home['host'] ) === strtolower( $parsed_url['host'] );
	    } else {
	        $same_host = false;

CVE-2018-10102

Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag.

Timestamp:04/03/2018 02:58:48 PM (11 days ago)Author:ocean90Message:

Template: Make sure the version string is correctly escaped for use in attributes.

trunk/src/wp-includes/general-template.php

switch ( $type ) {
	        case 'html':
	 	            $gen = '<meta name="generator" content="WordPress ' . get_bloginfo( 'version' ) . '">';
 		            $gen = '<meta name="generator" content="WordPress ' . esc_attr( get_bloginfo( 'version' ) ) . '">';
	            break;
	        case 'xhtml':
	 	            $gen = '<meta name="generator" content="WordPress ' . get_bloginfo( 'version' ) . '" />';
 		            $gen = '<meta name="generator" content="WordPress ' . esc_attr( get_bloginfo( 'version' ) ) . '" />';
	            break;
	        case 'atom':
	 	            $gen = '<generator uri="https://wordpress.org/" version="' . get_bloginfo_rss( 'version' ) . '">WordPress</generator>';
 		            $gen = '<generator uri="https://wordpress.org/" version="' . esc_attr( get_bloginfo_rss( 'version' ) ) . '">WordPress</generator>';
	            break;
	        case 'rss2':
	 	            $gen = '<generator>https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) . '</generator>';
 		            $gen = '<generator>' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '</generator>';
	            break;
	        case 'rdf':
	 	            $gen = '<admin:generatorAgent rdf:resource="https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) . '" />';
 		            $gen = '<admin:generatorAgent rdf:resource="' . esc_url_raw( 'https://wordpress.org/?v=' . get_bloginfo_rss( 'version' ) ) . '" />';
	            break;
	        case 'comment':
	 	            $gen = '<!-- generator="WordPress/' . get_bloginfo( 'version' ) . '" -->';
 		            $gen = '<!-- generator="WordPress/' . esc_attr( get_bloginfo( 'version' ) ) . '" -->';
	            break;
	        case 'export':
	 	            $gen = '<!-- generator="WordPress/' . get_bloginfo_rss( 'version' ) . '" created="' . date( 'Y-m-d H:i' ) . '" -->';
 		            $gen = '<!-- generator="WordPress/' . esc_attr( get_bloginfo_rss( 'version' ) ) . '" created="' . date( 'Y-m-d H:i' ) . '" -->';
	            break;
	    }

 

 

 

Leave a Reply