Vulnerabilities > CVE-2014-5266 - Resource Management Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Metasploit
| description | Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched). |
| id | MSF:AUXILIARY/DOS/HTTP/WORDPRESS_XMLRPC_DOS |
| last seen | 2020-06-05 |
| modified | 2018-07-12 |
| published | 2014-08-07 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb |
| title | Wordpress XMLRPC DoS |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2999.NASL description A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site last seen 2020-03-17 modified 2014-08-10 plugin id 77100 published 2014-08-10 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77100 title Debian DSA-2999-1 : drupal7 - security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2999. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(77100); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-5265", "CVE-2014-5266", "CVE-2014-5267"); script_bugtraq_id(69146); script_xref(name:"DSA", value:"2999"); script_name(english:"Debian DSA-2999-1 : drupal7 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A denial of service vulnerability was discovered in Drupal, a fully-featured content management framework. A remote attacker could exploit this flaw to cause CPU and memory exhaustion and the site's database to reach the maximum number of open connections, leading to the site becoming unavailable or unresponsive. More information can be found at https://www.drupal.org/SA-CORE-2014-004." ); # https://www.drupal.org/SA-CORE-2014-004 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1de16175" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/drupal7" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2014/dsa-2999" ); script_set_attribute( attribute:"solution", value: "Upgrade the drupal7 packages. For the stable distribution (wheezy), this problem has been fixed in version 7.14-2+deb7u6." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:drupal7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2014/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"drupal7", reference:"7.14-2+deb7u6")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family CGI abuses NASL id WORDPRESS_3_9_2.NASL description According to its version number, the WordPress application hosted on the remote web server is affected by multiple vulnerabilities : - An XML injection flaw exists within last seen 2020-06-01 modified 2020-06-02 plugin id 77157 published 2014-08-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77157 title WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(77157); script_version("1.14"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_cve_id( "CVE-2014-2053", "CVE-2014-5203", "CVE-2014-5204", "CVE-2014-5205", "CVE-2014-5240", "CVE-2014-5265", "CVE-2014-5266" ); script_bugtraq_id(69096); script_name(english:"WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities"); script_summary(english:"Checks the version of WordPress."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version number, the WordPress application hosted on the remote web server is affected by multiple vulnerabilities : - An XML injection flaw exists within 'getid3.lib.php' due to the parser accepting XML external entities from untrusted sources. Using specially crafted XML data, a remote attacker could access sensitive information or cause a denial of service. This affects versions 3.6 - 3.9.1, except 3.7.4 and 3.8.4. - An XML injection flaw exists within 'xmlrpc.php' due to the parser accepting XML internal entities without properly validating them. Using specially crafted XML data, a remote attacker could cause a denial of service. This affects versions 1.5 - 3.9.1, except 3.7.4 and 3.8.4. - An unsafe serialization flaw exists in the script '/src/wp-includes/class-wp-customize-widgets.php' when processing widgets. This could allow a remote attacker to execute arbitrary code. Versions 3.9 and 3.9.1 non-default configurations are affected. - A flaw exists when building CSRF tokens due to it not separating pieces by delimiter and not comparing nonces in a time-constant manner. This could allow a remote attacker to conduct a brute force attack and potentially disclose the CSRF token. This affects versions 2.0.3 - 3.9.1, except 3.7.4 and 3.8.4. - A cross-site scripting flaw exists in the function 'get_avatar' within the '/src/wp-includes/pluggable.php' script where input from the avatars is not validated before returning it to the user. Using a specially crafted request, an authenticated attacker could execute arbitrary script code within the browser / server trust relationship. This affects version 3.9.1. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://wordpress.org/news/2014/08/wordpress-3-9-2/"); script_set_attribute(attribute:"see_also", value:"https://codex.wordpress.org/Version_3.9.2"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/oss-sec/2014/q3/301"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29405/branches/3.9"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29389"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29390"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29384"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29408"); script_set_attribute(attribute:"see_also", value:"https://core.trac.wordpress.org/changeset/29398"); script_set_attribute(attribute:"solution", value:"Upgrade to WordPress 3.7.4 / 3.8.4 / 3.9.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/07"); script_set_attribute(attribute:"patch_publication_date", value:"2014/08/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/12"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("wordpress_detect.nasl"); script_require_keys("www/PHP", "installed_sw/WordPress", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "WordPress"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port, exit_if_unknown_ver : TRUE ); dir = install['path']; version = install['version']; install_url = build_url(port:port, qs:dir); if (report_paranoia < 2) audit(AUDIT_PARANOID); ver = split(version, sep:".", keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # Versions 1.5 < 3.7.4 / 3.8.4 / 3.9.2 are vulnerable if ( (ver[0] == 1 && ver[1] >= 5) || (ver[0] == 2) || (ver[0] == 3 && ver[1] <= 6) || (ver[0] == 3 && ver[1] == 7 && ver[2] < 4) || (ver[0] == 3 && ver[1] == 8 && ver[2] < 4) || (ver[0] == 3 && ver[1] == 9 && ver[2] < 2) ) { set_kb_item(name:'www/'+port+'/XSS', value:TRUE); if (report_verbosity > 0) { report = '\n URL : ' +install_url+ '\n Installed version : ' +version+ '\n Fixed version : 3.7.4 / 3.8.4 / 3.9.2\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family Fedora Local Security Checks NASL id FEDORA_2014-9278.NASL description Update to upstream 7.31 release for SA-CORE-2014-004 This is a bugfix release. For complete details, refer to: https://www.drupal.org/drupal-7.30-release-notes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-22 plugin id 77314 published 2014-08-22 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77314 title Fedora 20 : drupal7-7.31-1.fc20 (2014-9278) NASL family Fedora Local Security Checks NASL id FEDORA_2014-9281.NASL description - Update to Drupal 6.33. - Drupal 6.33 release notes can be found here, https://www.drupal.org/drupal-6.33-release-notes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-09-29 plugin id 77948 published 2014-09-29 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77948 title Fedora 20 : drupal6-6.33-1.fc20 (2014-9281) NASL family Fedora Local Security Checks NASL id FEDORA_2014-9264.NASL description Upstream announcement: http://wordpress.org/news/2014/08/wordpress-3-9-2/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-22 plugin id 77312 published 2014-08-22 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77312 title Fedora 20 : wordpress-3.9.2-3.fc20 (2014-9264) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3001.NASL description Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/. last seen 2020-03-17 modified 2014-08-10 plugin id 77102 published 2014-08-10 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77102 title Debian DSA-3001-1 : wordpress - security update NASL family CGI abuses NASL id DRUPAL_7_31.NASL description The remote web server is running a version of Drupal that is 6.x prior to 6.33 or 7.x prior to 7.31. It is, therefore, potentially affected by multiple denial of service vulnerabilities : - The XML-RPC library in Drupal allows entity declarations without considering recursion during entity expansion. A remote attacker, using a crafted XML document with a large number of nested entity references, can cause a denial of service by consuming available memory and CPU resources. (CVE-2014-5265) - The XML-RPC library in Drupal does not limit the number of elements in an XML document. A remote attacker, via a large document, could cause a denial of service by CPU consumption. (CVE-2014-5266) - An XML injection flaw exists in last seen 2020-06-01 modified 2020-06-02 plugin id 77186 published 2014-08-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77186 title Drupal 6.x < 6.33 / 7.x < 7.31 XML-RPC DoS NASL family Debian Local Security Checks NASL id DEBIAN_DLA-56.NASL description Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at https://wordpress.org/news/2014/08/wordpress-3-9-2/ NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-03-26 plugin id 82202 published 2015-03-26 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82202 title Debian DLA-56-1 : wordpress security update NASL family Fedora Local Security Checks NASL id FEDORA_2014-9277.NASL description Update to upstream 7.31 release for SA-CORE-2014-004 This is a bugfix release. For complete details refer to: https://www.drupal.org/drupal-7.30-release-notes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-22 plugin id 77313 published 2014-08-22 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77313 title Fedora 19 : drupal7-7.31-1.fc19 (2014-9277) NASL family Fedora Local Security Checks NASL id FEDORA_2014-9270.NASL description Upstream announcement: http://wordpress.org/news/2014/08/wordpress-3-9-2/ Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-23 plugin id 77347 published 2014-08-23 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77347 title Fedora 19 : wordpress-3.9.2-3.fc19 (2014-9270)
References
- http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830
- http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830
- http://www.debian.org/security/2014/dsa-2999
- http://www.debian.org/security/2014/dsa-3001
- https://core.trac.wordpress.org/changeset/29404
- https://wordpress.org/news/2014/08/wordpress-3-9-2/
- https://www.drupal.org/SA-CORE-2014-004