Vulnerabilities > CVE-2014-5203 - Unspecified vulnerability in Wordpress 3.9.0/3.9.1

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(77157);
  script_version("1.14");
  script_cvs_date("Date: 2018/11/15 20:50:19");

  script_cve_id(
    "CVE-2014-2053",
    "CVE-2014-5203",
    "CVE-2014-5204",
    "CVE-2014-5205",
    "CVE-2014-5240",
    "CVE-2014-5265",
    "CVE-2014-5266"
  );
  script_bugtraq_id(69096);

  script_name(english:"WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of WordPress.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its version number, the WordPress application hosted on
the remote web server is affected by multiple vulnerabilities :

  - An XML injection flaw exists within 'getid3.lib.php'
    due to the parser accepting XML external entities
    from untrusted sources. Using specially crafted XML
    data, a remote attacker could access sensitive
    information or cause a denial of service. This affects
    versions 3.6 - 3.9.1, except 3.7.4 and 3.8.4.

  - An XML injection flaw exists within 'xmlrpc.php' due to
    the parser accepting XML internal entities without
    properly validating them. Using specially crafted XML
    data, a remote attacker could cause a denial of service.
    This affects versions 1.5 - 3.9.1, except 3.7.4 and
    3.8.4.

  - An unsafe serialization flaw exists in the script
    '/src/wp-includes/class-wp-customize-widgets.php' when
    processing widgets. This could allow a remote attacker
    to execute arbitrary code. Versions 3.9 and 3.9.1
    non-default configurations are affected.

  - A flaw exists when building CSRF tokens due to it not
    separating pieces by delimiter and not comparing nonces
    in a time-constant manner. This could allow a remote
    attacker to conduct a brute force attack and potentially
    disclose the CSRF token. This affects versions 2.0.3 -
    3.9.1, except 3.7.4 and 3.8.4.

  - A cross-site scripting flaw exists in the function
    'get_avatar' within the '/src/wp-includes/pluggable.php'
    script where input from the avatars is not validated
    before returning it to the user. Using a specially
    crafted request, an authenticated attacker could execute
    arbitrary script code within the browser / server trust
    relationship. This affects version 3.9.1.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://wordpress.org/news/2014/08/wordpress-3-9-2/");
  script_set_attribute(attribute:"see_also", value:"https://codex.wordpress.org/Version_3.9.2");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2014/q3/301");
  script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29405/branches/3.9");
  script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29389");
  script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29390");
  script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29384");
  script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29408");
  script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29398");

  script_set_attribute(attribute:"solution", value:"Upgrade to WordPress 3.7.4 / 3.8.4 / 3.9.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/12");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("www/PHP", "installed_sw/WordPress", "Settings/ParanoidReport");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port,
  exit_if_unknown_ver : TRUE
);

dir = install['path'];
version = install['version'];
install_url = build_url(port:port, qs:dir);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

ver = split(version, sep:".", keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

# Versions 1.5 < 3.7.4 / 3.8.4 / 3.9.2 are vulnerable
if (
     (ver[0] == 1 && ver[1] >= 5) ||
     (ver[0] == 2) ||
     (ver[0] == 3 && ver[1] <= 6) ||
     (ver[0] == 3 && ver[1] == 7 && ver[2] < 4) ||
     (ver[0] == 3 && ver[1] == 8 && ver[2] < 4) ||
     (ver[0] == 3 && ver[1] == 9 && ver[2] < 2)
)
{
  set_kb_item(name:'www/'+port+'/XSS', value:TRUE);

  if (report_verbosity > 0)
  {
    report =
      '\n  URL               : ' +install_url+
      '\n  Installed version : ' +version+
      '\n  Fixed version     : 3.7.4 / 3.8.4 / 3.9.2\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory 2014-9264.
#

include("compat.inc");

if (description)
{
  script_id(77312);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2014-5203", "CVE-2014-5204", "CVE-2014-5205", "CVE-2014-5240", "CVE-2014-5265", "CVE-2014-5266");
  script_bugtraq_id(69096, 69146);
  script_xref(name:"FEDORA", value:"2014-9264");

  script_name(english:"Fedora 20 : wordpress-3.9.2-3.fc20 (2014-9264)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Upstream announcement:
http://wordpress.org/news/2014/08/wordpress-3-9-2/

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
  );
  # http://wordpress.org/news/2014/08/wordpress-3-9-2/
  script_set_attribute(
    attribute:"see_also",
    value:"https://wordpress.org/news/2014/08/wordpress-3-9-2/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1127547"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=1129750"
  );
  # https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136891.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?73625ed0"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected wordpress package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wordpress");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/08/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/22");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);

flag = 0;
if (rpm_check(release:"FC20", reference:"wordpress-3.9.2-3.fc20")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wordpress");
}