Bugtraq mailing list archives
[BuHa Security] Wordpress SQL-Injection
From: Thomas Waldegger <bugtraq () morph3us org>
Date: 20 May 2005 03:52:58 -0000
--------------------------------------------------- | BuHa Security-Advisory #1 | May 17th, 2005 | --------------------------------------------------- | Vendor | Wordpress | | URL | http://wordpress.org/ | | Version | <= Wordpress 1.5 | | Risk | Moderate (SQL-Injection) | --------------------------------------------------- o Description: ============= WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. Visit http://wordpress.org/ for detailed information. o SQL-Injection: =============== The most critical vulnerability in the 1.5 release of wordpress is an SQL-Injection in `wp-trackback.php'. It's not easily exploitable because you do not get a result when you inject a valid query but it's possible to bruteforce values in the tables - for example the password hashes. Here some details: The parameter `tb_id' in `wp-trackback.php' is not validated correctly and there are no quotes in the SQL-query so an attacker is able to insert sql commands. $pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $tb_id"); Example: (I converted the POST-request into a GET-request.)
$tb_id = 1 union select user_pass,0 from wp_users $url = bla $title = bla
</wp-trackback.php?tb_id=1%20union%20select%200,user_pass%20from%20 wp_users&url=bla&title=bla> By injecting this query I get following databae error:
WordPress database error: [The used SELECT statements have a different number of columns] SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0, user_pass from wp_users
When I insert "1 union select user_pass from wp_users" as value for `tb_id' I get no error message because the query was well-formed - logical. Through the possibility to insert any sql-command it's possible to 'reconstruct' values of the tables. o XSS: ===== </wp-admin/edit.php?s=[XSS]&submit=Search> </wp-admin/post.php?action=confirmdeletecomment&comment=1&p=[XSS]> o Path Disclosure: ================= </wordpress-1.5-strayhorn/wp-content/themes/*> </wordpress-1.5-strayhorn/wp-includes/*> </wordpress-1.5-strayhorn/wp-admin/*>
Fatal error: Call to undefined function add_filter() in [...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/ wp-content/themes/classic/comments-popup.php on line 3
o Disclosure Timeline: ===================== 17 Apr 05 - Security flaws discovered. 19 Apr 05 - Vendor contacted. 10 May 05 - Vendor released bugfixed version. 17 May 05 - Public release. o Solution: ========== Upgrade to wordpress 1.5.1 [1] o Credits: ========= Thomas Waldegger <bugtraq () morph3us org> BuHa-Security Community - http://buha.info/board/ [1] http://wordpress.org/development/2005/05/one-five-one/
Current thread:
- [BuHa Security] Wordpress SQL-Injection Thomas Waldegger (May 20)