Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0062 WordPress 3.3.2 Security and Maintenance Release 23 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WordPress prior to 3.3.2 Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Existing Account Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-2401 CVE-2012-2400 CVE-2012-2399 Member content until: Wednesday, May 23 2012 OVERVIEW WordPress 3.3.2 is now available which resolves 3 external library security issues, along with 3 other security issues. [1] IMPACT The three external library issues fixed in WordPress 3.3.2 include: "Unspecified vulnerability in wp-includes/js/swfupload/swfupload.swf in WordPress before 3.3.2 has unknown impact and attack vectors." [2] "Unspecified vulnerability in wp-includes/js/swfobject.js in WordPress before 3.3.2 has unknown impact and attack vectors." [3] "Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content." [4] Limited privilege escalation and cross-site scripting vulnerabilities were also fixed. [1] MITIGATION The vendor recommends upgrading to WordPress WordPress 3.3.2. [1] REFERENCES [1] WordPress 3.3.2 (and WordPress 3.4 Beta 3) http://wordpress.org/news/2012/04/wordpress-3-3-2/ [2] Vulnerability Summary for CVE-2012-2399 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2399 [3] Vulnerability Summary for CVE-2012-2400 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2400 [4] Vulnerability Summary for CVE-2012-2401 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2401 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT5TIr+4yVqjM2NGpAQJYDA/9HGDpVYJAlDMN7JiqTtbWST0b2+wvGvv7 t5SRtDs8FRj8laO0D3vxtfSjQvf8Zqd3Nqc2M3Pvp5nNgvvo63sEc5Zo+lSg1nd/ q4PQFFgLw6kajJVpDdI2PdnYBkDER8Po3MaOc5x+UdhkhCdqeDaRJ2kP1gQcvV4m asbhEy2BeFO2TfK82qTFzxH4k4zmJGdT1MubGNbFyylkutmCwYk28azO1/8c4B+7 HFnQQyu7RpiFrOSgFGKq4vl/NB+dT79qvIVc1pYvL14VGFVHj7kncD2GW8AkYqAb ny7SwbowdckkmU6ThV/1w1eByJJM0C5Kcv6y9heiyQb4M9ZDX4ASdpxbsMfM0tJ9 mvndtJpZnW2Y3ORL1eX6RetusUJwqaczkHjpAgcH89TXHW8v75LXn6M++YfdeoEa A/H+F5x180PltLhiXp7wo1+qdGqKKFysCFiuT2tUHpBuDXer0YiBebkV6yNnWlYB pUWPMSKhr8zY6OnGI5G0UZRSZtVezOwdhUfKWXKy9zjNq3JfbzTlcxtdyuT9ADCR 2kgH67nJYIe7NqSUGLbTBGYipVwfMDLQg5izIT0dwWR81i7eg3JY0KxNg28OhSiC 1MQTUVCYOTUQzVsozWs9Fa2W29Etc8Uzqio5Frh/e5JRSiFdPfyL1AZXQH5SvDgr SGYhFx0jp+w= =Bv9l -----END PGP SIGNATURE-----