Headline
CVE-2013-4144: Image object injection vulnerability via 'buttonImageURL' parameter · Issue #1 · WordPress/secure-swfupload
There is an object injection vulnerability in swfupload plugin for wordpress.
Copy link
Member
** nacin commented Jul 3, 2013**
From an email sent by @nealpoole:
Do you have a proposed fix for the “object injection” issue? My initial thought is that the buttonImageURL parameter is working exactly as intended. The behavior is similar to a message board that allows you to embed images from third party websites. We could try to artificially constrain the image to the same domain as the SWF, but with open redirects and increased use of CDNs that change seems likely to break backwards compatibility and not serve as a complete fix.
From an email sent by me:
We agree with Neal that the image injection issue is more or less intended behavior, especially since fixing the XSS prevents a potential problem where the image can be used with XSS to help trick a user. The original reporter indicated a link between these issues as well, and we don’t really see the image injection as a vulnerability in itself.
There are three ways to resolve this: 1) Remove support for buttonImageURL entirely. 2) Enforce the same domain for buttonImageURL. 3) Do nothing. None of these are perfect. Doing nothing does not entirely resolve the issue of trust, as you could use this to serve sketchy images from a trusted domain. The other options (removing buttonImageURL or enforcing the same domain) would indeed break current behavior, but the goal of our fork is for SWFUpload to be secure, not necessarily pretty and functional. But, having a button image is still pretty important. I’ve spoken to a few members of the WP security team and we’re leaning toward WONTFIX for this, or if consensus ends up being same-domain, we can do that too.
From an email sent by Szymon Gruszecki:
consider another way to resolve "the issue": disable passing app parameters by URL. As I can see in current SWFUpload source code there are JS callbacks that allows to set these values - only parameter “moveName” cannot be set in another way than by FlashVars.
for the time being those looking for a immediate solution just use below in .htaccess
<files swfupload.swf> order allow,deny deny from all </files>
If you need to keep swfupload.swf accessible but want to prevent the use of the buttonImageURL parameter, something like this might work…
RewriteCond %{QUERY_STRING} (?:^|&)buttonImageURL=([^&]+) [NC]
RewriteRule ^wp-includes/js/swfupload/swfupload.swf$ - [R=404,L]
Copy link
Member
** nacin commented Jul 19, 2013**
Please take discussion to oss-security so Steve/Andrew/etc can see it.