Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

cafelog.txt

🗓️ 03 Oct 2003 00:00:00Reported by Seth WoolleyType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

SQL injection vulnerabilities in WordPress before October 1, 2003; patch available.

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Vendor:  
Cafelog  
  
Product:  
WordPress (formerly b2)  
http://www.wordpress.org/  
  
Vulnerable Versions:  
* CVS versions before October 1, 2003  
* Vulnerability affects code inherited from b2, so all versions of  
wordpress released before CVS fix are affected and many versions of b2  
are also affected.  
  
Description:  
A number of SQL injection vulnerabilities have been fixed that could allow  
arbitrary SQL to be injected if one has local access to the filesystem the  
database can access (using 'source filename.sql;'). ''', '"', '\' are all  
filtered, and ' ' is munged into SQL constructs before injection, so %09  
(tab char) can be used where spaces would normally be in the sql string  
one wishes to inject. The problem affects the category (cat) and order by  
(order_by) code. The author (author) code was almost vulnerable, except  
for a small bug that misconverted author to an integer before string  
processing. The problems are located in the blog.header.php file, and a  
patch is included below (provided by the authors) that fixes the  
vulnerabilities and includes general bug fixes and code cleanup. Any SQL  
string not including quotes or a backslash can be injected through the URL  
(i.e. 'drop table foo;').  
  
Patch:  
http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u  
  
Exploit:  
http://fresh.wordpress.org/index.php?cat=100)%09or%090=0%09or%09(0=1  
  
Exploit example exposes private posts. Dropping tables should be trivial,  
especially using the order_by flaw.  
  
Date Discovered:  
Sunday, 28 Sept 2003  
  
Dates Vendor Notified:  
Monday, 29 Sept 2003 - Tuesday, 30 Sept 2003  
  
Vendor was notified of problems on Monday. On Tuesday, discoverer gave a  
full report of the extent of the problems via IRC.  
  
Date Fixed:  
Wednesday, 1 Oct 2003  
  
Date Published:  
Thursday, 2 Oct 2003  
  
Discoverer:  
Seth Woolley <seth at tautology.org>  
  
Disclaimer:  
I (Seth) am not a php expert, and I don't run this code, so I haven't  
tested the vendor-provided patch yet, although I assume the vendor has.  
Be advised.  
  
Acknowledgements:  
I would like to thank the wordpress developers for providing the patch in  
a timely and responsible manner (specifically Matthew Mullenweg for being  
my vendor contact).  
  
- --  
Seth Alan Woolley <seth at tautology.org>, SPAM/UCE is unauthorized  
Key id 7BEACC7D = 2978 0BD1 BA48 B671 C1EB 93F7 EDF4 3CDF 7BEA CC7D  
Full Key at seth.tautology.org and pgp.mit.edu. info: www.gnupg.org  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.2 (FreeBSD)  
  
iD8DBQE/fQTz7fQ833vqzH0RAreJAJ0YzWPNFp4aqWrKnFJnFMo8HkiduwCeOPd/  
sUqIIAbtDJ6iA8r4HOor4LU=  
=Qwy4  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Oct 2003 00:00Current
cafelogwordpresssql injectionvulnerable versionsblog.header.phppatch availablesecurity fix.
36