Debian DLA-1742-1 : wordpress security update

2019-04-0100:00:00

www.tenable.com

JSON

Simon Scannell of Ripstech Technologies discovered multiple vulnerabilities in wordpress, a web blogging manager.

CVE-2019-8942

remote code execution in wordpress because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata.

CVE-2019-9787

wordpress does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration.
This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access.

For Debian 8 ‘Jessie’, these problems have been fixed in version 4.1.26+dfsg-1+deb8u1.

We recommend that you upgrade your wordpress packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-1742-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(123529);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2019-8942", "CVE-2019-9787");

  script_name(english:"Debian DLA-1742-1 : wordpress security update");
  script_summary(english:"Checks dpkg output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Simon Scannell of Ripstech Technologies discovered multiple
vulnerabilities in wordpress, a web blogging manager.

CVE-2019-8942

remote code execution in wordpress because an _wp_attached_file Post
Meta entry can be changed to an arbitrary string, such as one ending
with a .jpg?file.php substring. An attacker with author privileges can
execute arbitrary code by uploading a crafted image containing PHP
code in the Exif metadata.

CVE-2019-9787

wordpress does not properly filter comment content, leading to Remote
Code Execution by unauthenticated users in a default configuration.
This occurs because CSRF protection is mishandled, and because Search
Engine Optimization of A elements is performed incorrectly, leading to
XSS. The XSS results in administrative access.

For Debian 8 'Jessie', these problems have been fixed in version
4.1.26+dfsg-1+deb8u1.

We recommend that you upgrade your wordpress packages.

NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.debian.org/debian-lts-announce/2019/03/msg00044.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/wordpress"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9787");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'WordPress Crop-image Shell Upload');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-l10n");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-theme-twentyfifteen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-theme-twentyfourteen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-theme-twentythirteen");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/03/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/01");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"wordpress", reference:"4.1.26+dfsg-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"wordpress-l10n", reference:"4.1.26+dfsg-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"wordpress-theme-twentyfifteen", reference:"4.1.26+dfsg-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"wordpress-theme-twentyfourteen", reference:"4.1.26+dfsg-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"wordpress-theme-twentythirteen", reference:"4.1.26+dfsg-1+deb8u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
debiandebian_linuxwordpressp-cpe:/a:debian:debian_linux:wordpress
debiandebian_linuxwordpress-l10np-cpe:/a:debian:debian_linux:wordpress-l10n
debiandebian_linuxwordpress-theme-twentyfifteenp-cpe:/a:debian:debian_linux:wordpress-theme-twentyfifteen
debiandebian_linuxwordpress-theme-twentyfourteenp-cpe:/a:debian:debian_linux:wordpress-theme-twentyfourteen
debiandebian_linuxwordpress-theme-twentythirteenp-cpe:/a:debian:debian_linux:wordpress-theme-twentythirteen
debiandebian_linux8.0cpe:/o:debian:debian_linux:8.0

Vendor	Product	Version	CPE
debian	debian_linux	wordpress	p-cpe:/a:debian:debian_linux:wordpress
debian	debian_linux	wordpress-l10n	p-cpe:/a:debian:debian_linux:wordpress-l10n
debian	debian_linux	wordpress-theme-twentyfifteen	p-cpe:/a:debian:debian_linux:wordpress-theme-twentyfifteen
debian	debian_linux	wordpress-theme-twentyfourteen	p-cpe:/a:debian:debian_linux:wordpress-theme-twentyfourteen
debian	debian_linux	wordpress-theme-twentythirteen	p-cpe:/a:debian:debian_linux:wordpress-theme-twentythirteen
debian	debian_linux	8.0	cpe:/o:debian:debian_linux:8.0