what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

cafelog.txt

cafelog.txt
Posted Oct 3, 2003
Authored by Seth Woolley

WordPress Cafelog is vulnerable to a number of SQL injection attacks that allow a local attacker with access to the same filesystem as the database to exploit.

tags | exploit, local, sql injection
SHA-256 | 74b75135b16d5c546fca3aaed5d5aa888b0f45c7d26468f13f0b98bff599dfbb

cafelog.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vendor:
Cafelog

Product:
WordPress (formerly b2)
http://www.wordpress.org/

Vulnerable Versions:
* CVS versions before October 1, 2003
* Vulnerability affects code inherited from b2, so all versions of
wordpress released before CVS fix are affected and many versions of b2
are also affected.

Description:
A number of SQL injection vulnerabilities have been fixed that could allow
arbitrary SQL to be injected if one has local access to the filesystem the
database can access (using 'source filename.sql;'). ''', '"', '\' are all
filtered, and ' ' is munged into SQL constructs before injection, so %09
(tab char) can be used where spaces would normally be in the sql string
one wishes to inject. The problem affects the category (cat) and order by
(order_by) code. The author (author) code was almost vulnerable, except
for a small bug that misconverted author to an integer before string
processing. The problems are located in the blog.header.php file, and a
patch is included below (provided by the authors) that fixes the
vulnerabilities and includes general bug fixes and code cleanup. Any SQL
string not including quotes or a backslash can be injected through the URL
(i.e. 'drop table foo;').

Patch:
http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u

Exploit:
http://fresh.wordpress.org/index.php?cat=100)%09or%090=0%09or%09(0=1

Exploit example exposes private posts. Dropping tables should be trivial,
especially using the order_by flaw.

Date Discovered:
Sunday, 28 Sept 2003

Dates Vendor Notified:
Monday, 29 Sept 2003 - Tuesday, 30 Sept 2003

Vendor was notified of problems on Monday. On Tuesday, discoverer gave a
full report of the extent of the problems via IRC.

Date Fixed:
Wednesday, 1 Oct 2003

Date Published:
Thursday, 2 Oct 2003

Discoverer:
Seth Woolley <seth at tautology.org>

Disclaimer:
I (Seth) am not a php expert, and I don't run this code, so I haven't
tested the vendor-provided patch yet, although I assume the vendor has.
Be advised.

Acknowledgements:
I would like to thank the wordpress developers for providing the patch in
a timely and responsible manner (specifically Matthew Mullenweg for being
my vendor contact).

- --
Seth Alan Woolley <seth at tautology.org>, SPAM/UCE is unauthorized
Key id 7BEACC7D = 2978 0BD1 BA48 B671 C1EB 93F7 EDF4 3CDF 7BEA CC7D
Full Key at seth.tautology.org and pgp.mit.edu. info: www.gnupg.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE/fQTz7fQ833vqzH0RAreJAJ0YzWPNFp4aqWrKnFJnFMo8HkiduwCeOPd/
sUqIIAbtDJ6iA8r4HOor4LU=
=Qwy4
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close