ID CVE-2007-6318 Type cve Reporter NVD Modified 2018-10-15T17:52:02
Description
SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a "\" in a multibyte character.
{"exploitdb": [{"lastseen": "2016-01-31T21:36:57", "bulletinFamily": "exploit", "description": "Wordpress <= 2.3.1 Charset Remote SQL Injection Vulnerability. CVE-2007-6318. Webapps exploit for php platform", "modified": "2007-12-11T00:00:00", "published": "2007-12-11T00:00:00", "id": "EDB-ID:4721", "href": "https://www.exploit-db.com/exploits/4721/", "type": "exploitdb", "title": "WordPress <= 2.3.1 - Charset Remote SQL Injection Vulnerability", "sourceData": "=== WordPress Charset SQL Injection Vulnerability ===\n\nRelease date: 2007-12-10\nLast modified: 2007-12-12\nSource: Abel Cheung <abelcheung at gmail dot com>\nAffected version: WordPress <= 2.3.1\nExploit type: Remote\nRisk: Moderate\nCVE: pending\nReference: http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt\n\n\n1. Summary\n2. Detail\n3. Proof of concept\n4. Workaround\n\n\n1. Summary\n\n Quoting from http://wordpress.org/:\n WordPress is a state-of-the-art semantic personal publishing platform\n with a focus on aesthetics, web standards, and usability.\n What a mouthful. WordPress is both free and priceless at the same time.\n\n It is found that the search function provided within WordPress fails to\n sanitize input based on different character sets. So if WordPress tries\n to query MySQL database using certain specific character sets, WordPress\n search function is exploitable using charset-based SQL injection.\n\n Currently known character sets exploitable include Big5 and GBK.\n All of them may use backslash ('\\') as part of multibyte character. \n WordPress with MySQL database created any other character sets fulfilling\n such property may also be exploitable.\n\n Executing this attack alone results in exposure of all database\n content on web interface without need of authentication. However, if\n combined with other exploits (such as cookie authentication vulnerability\n in http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-auth.txt),\n any remote user can obtain WordPress admin privilege, resulting in server\n compromise.\n\n\n2. Detail\n\n Most database query in WordPress uses escape() method to sanitize SQL\n string, which is essentially filtering input via addslashes() function.\n However addslashes() fails to consider character set used in SQL string,\n and blindly inserts backslash before any single quote, regardless of\n whether such backslashes will form another valid character or not.\n\n In proof of concept used in this advisory, two bytes 0xB327 is\n injected into search variable. After escaping string with escape(),\n a backslash (0x5C) is inserted before single quote (0x27), thus becoming\n 0xB35C27. However 0xB35C is a valid Big5 multibyte character,\n leaving the single quote behind, so SQL injection occurs. The same\n multibyte character is also valid under GBK encoding.\n\n Inside SQL statement used within proof of concept, MD5 hashes of all\n users' passwords are selected from database, and presented as post\n title. With suitable SQL statement, any database field can be dumped\n in similar way.\n\n Currently it is known that WordPress search function uses this\n insufficient method to sanitize database query. Possibly other\n database queries utilizing same method to filter user input can be\n equally susceptible.\n\n However, note that WordPress sites using such character sets is not\n very common, since most default installation uses either latin1 or utf8\n character set. Asian sites, in particular Chinese ones, are more likely\n vulnerable.\n\n Although all WordPress versions before 2.3.1 are vulnerable, only\n WordPress 2.2 or above allows changing database query character set\n via WordPress configuration file (wp-config.php). For all versions\n below 2.2, modifying MySQL configuration to use those character sets\n is needed for exploit to be functional. The setting of WordPress HTML\n character set (adjustable within WordPress admin page) is irrelevant.\n\n\n Relevant code is listed below. In wp-includes/query.php:\n\n// If a search pattern is specified, load the posts that match\nif ( !empty($q['s']) ) {\n ......\n foreach((array)$q['search_terms'] as $term) {\n $term = addslashes_gpc($term);\n ......\n}\n\n addslashes_gpc() is defined in wp-includes/formatting.php:\n\nfunction addslashes_gpc($gpc) {\n ......\n return $wpdb->escape($gpc);\n}\n\n\n Finally, escape() method belongs to wp-includes/wp-db.php:\n\nfunction escape($string) {\n return addslashes( $string ); // Disable rest for now, causing problems\n ......\n}\n\n\n3. Proof of concept\n\n a. After WordPress installation, modify wp-config.php to make sure\n it uses certain character set for database connection (Big5 can also be used):\n define('DB_CHARSET', 'GBK');\n\n b. http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23\n\n\n4. Workaround\n\n Note: This vulnerability only exists for database queries performed\n using certain character sets. For databases created in most other\n character sets no remedy is needed.\n\n a. It is recommended to convert WordPress database to use character sets not\n vulnerable to such SQL exploit. One such charset is UTF-8, which does not\n use backslash ('\\') as part of character and it supports various languages.\n Even if database charset conversion is inconvenient or impossible, use UTF-8\n as DB_CHARSET setting to avoid sending query using vulnerable multibyte charset.\n b. Alternatively, modify WordPress core (query.php) to remove search capability.\n\n\nChangeLog:\n- 2007-12-12\n* Modify workaround (thanks to Florian Sander for suggestion)\n\n# milw0rm.com [2007-12-11]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4721/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:35", "bulletinFamily": "software", "description": "## Vulnerability Description\nWordpress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'wp-includes/query.php' script not properly sanitizing user-supplied input to the 's' variable when DB_CHARSET is set to character set encodings that support a \"\\\" in a multibyte character. This may allow an attacker to inject or manipulate SQL queries in the backend database.\n## Manual Testing Notes\nhttp://[target]/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23\n## References:\nVendor URL: http://wordpress.org/\nSecurity Tracker: 1019071\n[Secunia Advisory ID:28005](https://secuniaresearch.flexerasoftware.com/advisories/28005/)\n[Secunia Advisory ID:28310](https://secuniaresearch.flexerasoftware.com/advisories/28310/)\nOther Advisory URL: http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt\nOther Advisory URL: https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00098.html\nMail List Post: http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058999.html\nISS X-Force ID: 38959\nFrSIRT Advisory: ADV-2007-4172\n[CVE-2007-6318](https://vulners.com/cve/CVE-2007-6318)\nBugtraq ID: 26795\n", "modified": "2007-12-10T00:00:00", "published": "2007-12-10T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:39552", "id": "OSVDB:39552", "title": "WordPress wp-includes/query.php s Variable SQL Injection", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T22:02:03", "bulletinFamily": "exploit", "description": "CVE-2007-6318\r\n\r\nWordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.\r\n\r\nExploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. \n\nWordPress WordPress 2.3.1 \r\nWordPress WordPress 2.2.3 \r\nWordPress WordPress 2.2.2 \r\nWordPress WordPress 2.2.1 \r\nWordPress WordPress 2.2.1 \r\nWordPress WordPress 2.1.3 \r\nWordPress WordPress 2.1.3 \r\nWordPress WordPress 2.1.2 \r\nWordPress WordPress 2.1.1 \r\nWordPress WordPress 2.0.10 \r\nWordPress WordPress 2.0.7 \r\nWordPress WordPress 2.0.6 \r\nWordPress WordPress 2.0.5 \r\nWordPress WordPress 2.0.4 \r\nWordPress WordPress 2.0.3 \r\nWordPress WordPress 2.0.2 \r\nWordPress WordPress 2.0.1 \r\nWordPress WordPress 2.0 \r\nWordPress WordPress 2.3\r\nWordPress WordPress 2.2 Revision 5003\r\nWordPress WordPress 2.2 Revision 5002\r\nWordPress WordPress 2.2\r\nWordPress WordPress 2.1.3-RC2\r\nWordPress WordPress 2.1.3-RC1\r\nWordPress WordPress 2.1\r\nWordPress WordPress 2.0.10-RC2\r\nWordPress WordPress 2.0.10-RC1\r\nRedHat Fedora 8 0\r\nRedHat Fedora 7 0\r\n\n \u5b98\u65b9\u6682\u65e0\r\n\u8bf7\u53c2\u9605\u53c2\u8003\u8d44\u6599\uff0c\u4e3a\u5382\u5546\u8b66\u544a\u3002", "modified": "2008-01-06T00:00:00", "published": "2008-01-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2773", "id": "SSV:2773", "title": "WordPress wp-db.php Character Set SQL Injection Vulnerability", "type": "seebug", "sourceData": "\n The following proof-of-concept exploit is available:\r\n\r\nhttp://www.example.com/wordpress/index.php?exact=1&amp;sentence=1&amp;s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-2773"}], "openvas": [{"lastseen": "2017-07-25T10:56:00", "bulletinFamily": "scanner", "description": "Check for the Version of wordpress", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=860813", "id": "OPENVAS:860813", "title": "Fedora Update for wordpress FEDORA-2008-0103", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wordpress FEDORA-2008-0103\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"wordpress on Fedora 8\";\ntag_insight = \"Wordpress is an online publishing / weblog package that makes it very easy,\n almost trivial, to get information out to people on the web.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00079.html\");\n script_id(860813);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:12:43 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2008-0103\");\n script_cve_id(\"CVE-2007-6013\", \"CVE-2007-6318\");\n script_name( \"Fedora Update for wordpress FEDORA-2008-0103\");\n\n script_summary(\"Check for the Version of wordpress\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC8\")\n{\n\n if ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.3.2~1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.3.2~1.fc8\", rls:\"FC8\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:56:19", "bulletinFamily": "scanner", "description": "Check for the Version of wordpress", "modified": "2017-07-10T00:00:00", "published": "2009-02-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=860301", "id": "OPENVAS:860301", "title": "Fedora Update for wordpress FEDORA-2008-0126", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wordpress FEDORA-2008-0126\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"wordpress on Fedora 7\";\ntag_insight = \"Wordpress is an online publishing / weblog package that makes it very easy,\n almost trivial, to get information out to people on the web.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00098.html\");\n script_id(860301);\n script_version(\"$Revision: 6623 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:10:20 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-17 17:12:43 +0100 (Tue, 17 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2008-0126\");\n script_cve_id(\"CVE-2007-6013\", \"CVE-2007-6318\");\n script_name( \"Fedora Update for wordpress FEDORA-2008-0126\");\n\n script_summary(\"Check for the Version of wordpress\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC7\")\n{\n\n if ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.3.2~1.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~2.3.2~1.fc7\", rls:\"FC7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:08:00", "bulletinFamily": "scanner", "description": "This closes :\n\nhttp://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-go\ning-to-post-tomorrow/\n\nhttp://www.securityfocus.com/archive/1/485252/30/0/threaded\n\nhttp://trac.wordpress.org/ticket/5487\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-24T00:00:00", "published": "2008-01-04T00:00:00", "id": "FEDORA_2008-0126.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=29845", "title": "Fedora 7 : wordpress-2.3.2-1.fc7 (2008-0126)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-0126.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29845);\n script_version (\"1.15\");\n script_cvs_date(\"Date: 2018/12/24 10:14:26\");\n\n script_cve_id(\"CVE-2007-6013\", \"CVE-2007-6318\");\n script_xref(name:\"FEDORA\", value:\"2008-0126\");\n\n script_name(english:\"Fedora 7 : wordpress-2.3.2-1.fc7 (2008-0126)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This closes :\n\nhttp://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-go\ning-to-post-tomorrow/\n\nhttp://www.securityfocus.com/archive/1/485252/30/0/threaded\n\nhttp://trac.wordpress.org/ticket/5487\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://trac.wordpress.org/ticket/5487\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://core.trac.wordpress.org/ticket/5487\"\n );\n # http://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-going-to-post-tomorrow/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?89de3fa2\"\n );\n # http://www.securityfocus.com/archive/1/485252/30/0/threaded\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/485252/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=426431\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=426432\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-January/006451.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c49cbb2d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(89, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/01/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 7.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC7\", reference:\"wordpress-2.3.2-1.fc7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:08:00", "bulletinFamily": "scanner", "description": "This closes :\n\nhttp://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-go\ning-to-post-tomorrow/\n\nhttp://www.securityfocus.com/archive/1/485252/30/0/threaded\n\nhttp://trac.wordpress.org/ticket/5487\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-12-24T00:00:00", "published": "2008-01-04T00:00:00", "id": "FEDORA_2008-0103.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=29843", "title": "Fedora 8 : wordpress-2.3.2-1.fc8 (2008-0103)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2008-0103.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29843);\n script_version (\"1.15\");\n script_cvs_date(\"Date: 2018/12/24 10:14:26\");\n\n script_cve_id(\"CVE-2007-6013\", \"CVE-2007-6318\");\n script_xref(name:\"FEDORA\", value:\"2008-0103\");\n\n script_name(english:\"Fedora 8 : wordpress-2.3.2-1.fc8 (2008-0103)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This closes :\n\nhttp://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-go\ning-to-post-tomorrow/\n\nhttp://www.securityfocus.com/archive/1/485252/30/0/threaded\n\nhttp://trac.wordpress.org/ticket/5487\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://trac.wordpress.org/ticket/5487\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://core.trac.wordpress.org/ticket/5487\"\n );\n # http://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-going-to-post-tomorrow/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?89de3fa2\"\n );\n # http://www.securityfocus.com/archive/1/485252/30/0/threaded\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/485252/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=426431\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=426433\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2008-January/006432.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bfffa22e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(89, 287);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:8\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/01/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/01/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 8.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC8\", reference:\"wordpress-2.3.2-1.fc8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
