Vulnerabilities > CVE-2014-2053 - XML External Entity Injection vulnerability in ownCloud
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. Per: http://cwe.mitre.org/data/definitions/611.html "CWE-611: Improper Restriction of XML External Entity Reference ('XXE')"
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id WORDPRESS_3_9_2.NASL description According to its version number, the WordPress application hosted on the remote web server is affected by multiple vulnerabilities : - An XML injection flaw exists within last seen 2020-06-01 modified 2020-06-02 plugin id 77157 published 2014-08-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77157 title WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(77157); script_version("1.14"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_cve_id( "CVE-2014-2053", "CVE-2014-5203", "CVE-2014-5204", "CVE-2014-5205", "CVE-2014-5240", "CVE-2014-5265", "CVE-2014-5266" ); script_bugtraq_id(69096); script_name(english:"WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities"); script_summary(english:"Checks the version of WordPress."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version number, the WordPress application hosted on the remote web server is affected by multiple vulnerabilities : - An XML injection flaw exists within 'getid3.lib.php' due to the parser accepting XML external entities from untrusted sources. Using specially crafted XML data, a remote attacker could access sensitive information or cause a denial of service. This affects versions 3.6 - 3.9.1, except 3.7.4 and 3.8.4. - An XML injection flaw exists within 'xmlrpc.php' due to the parser accepting XML internal entities without properly validating them. Using specially crafted XML data, a remote attacker could cause a denial of service. This affects versions 1.5 - 3.9.1, except 3.7.4 and 3.8.4. - An unsafe serialization flaw exists in the script '/src/wp-includes/class-wp-customize-widgets.php' when processing widgets. This could allow a remote attacker to execute arbitrary code. Versions 3.9 and 3.9.1 non-default configurations are affected. - A flaw exists when building CSRF tokens due to it not separating pieces by delimiter and not comparing nonces in a time-constant manner. This could allow a remote attacker to conduct a brute force attack and potentially disclose the CSRF token. This affects versions 2.0.3 - 3.9.1, except 3.7.4 and 3.8.4. - A cross-site scripting flaw exists in the function 'get_avatar' within the '/src/wp-includes/pluggable.php' script where input from the avatars is not validated before returning it to the user. Using a specially crafted request, an authenticated attacker could execute arbitrary script code within the browser / server trust relationship. This affects version 3.9.1. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://wordpress.org/news/2014/08/wordpress-3-9-2/"); script_set_attribute(attribute:"see_also", value:"https://codex.wordpress.org/Version_3.9.2"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2014/q3/301"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29405/branches/3.9"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29389"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29390"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29384"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29408"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29398"); script_set_attribute(attribute:"solution", value:"Upgrade to WordPress 3.7.4 / 3.8.4 / 3.9.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/07"); script_set_attribute(attribute:"patch_publication_date", value:"2014/08/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/12"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("wordpress_detect.nasl"); script_require_keys("www/PHP", "installed_sw/WordPress", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "WordPress"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; version = install['version']; install_url = build_url(port:port, qs:dir); if (report_paranoia < 2) audit(AUDIT_PARANOID); ver = split(version, sep:".", keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # Versions 1.5 < 3.7.4 / 3.8.4 / 3.9.2 are vulnerable if ( (ver[0] == 1 && ver[1] >= 5) || (ver[0] == 2) || (ver[0] == 3 && ver[1] <= 6) || (ver[0] == 3 && ver[1] == 7 && ver[2] < 4) || (ver[0] == 3 && ver[1] == 8 && ver[2] < 4) || (ver[0] == 3 && ver[1] == 9 && ver[2] < 2) ) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' +install_url+ '\n Installed version : ' +version+ '\n Fixed version : 3.7.4 / 3.8.4 / 3.9.2\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3001.NASL description Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/. last seen 2020-03-17 modified 2014-08-10 plugin id 77102 published 2014-08-10 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77102 title Debian DSA-3001-1 : wordpress - security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3001. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(77102); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-2053", "CVE-2014-5204", "CVE-2014-5205", "CVE-2014-5240", "CVE-2014-5265", "CVE-2014-5266"); script_bugtraq_id(69096); script_xref(name:"DSA", value:"3001"); script_name(english:"Debian DSA-3001-1 : wordpress - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/." ); script_set_attribute( attribute:"see_also", value:"https://wordpress.org/news/2014/08/wordpress-3-9-2/" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/wordpress" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2014/dsa-3001" ); script_set_attribute( attribute:"solution", value: "Upgrade the wordpress packages. For the stable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u4." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"wordpress", reference:"3.6.1+dfsg-1~deb7u4")) flag++; if (deb_check(release:"7.0", prefix:"wordpress-l10n", reference:"3.6.1+dfsg-1~deb7u4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DLA-56.NASL description Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/ NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-03-26 plugin id 82202 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82202 title Debian DLA-56-1 : wordpress security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-56-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(82202); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-2053", "CVE-2014-5204", "CVE-2014-5205", "CVE-2014-5240", "CVE-2014-5265", "CVE-2014-5266"); script_bugtraq_id(66225, 69096, 69146); script_name(english:"Debian DLA-56-1 : wordpress security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/ NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2014/09/msg00013.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/wordpress" ); script_set_attribute( attribute:"see_also", value:"https://wordpress.org/news/2014/08/wordpress-3-9-2/" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected wordpress, and wordpress-l10n packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-l10n"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/09/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"wordpress", reference:"3.6.1+dfsg-1~deb6u5")) flag++; if (deb_check(release:"6.0", prefix:"wordpress-l10n", reference:"3.6.1+dfsg-1~deb6u5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Seebug
| bulletinFamily | exploit |
| description | CVE ID:CVE-2014-2053 getID3()是一款从MP3等媒体文件中提取文件信息的php类,既可以提取也能修改文件的标签信息。 解析XML实体时的错误,可以被利用来如披露某些本地文件内容,或例如通过特制的使用iXML块的WAV文件用消耗过多的服务器资源。 0 getID3() 1.x 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc |
| id | SSV:61847 |
| last seen | 2017-11-19 |
| modified | 2014-03-19 |
| published | 2014-03-19 |
| reporter | Root |
| title | getID3() XML外部实体漏洞 |