oss-sec mailing list archives
Re: CVE-request: WordPress SQL injection and arbitrary code injection (2003)
From: Kurt Seifried <kseifrie () redhat com>
Date: Fri, 06 Jan 2012 09:17:18 -0700
On 01/06/2012 03:38 AM, Henri Salo wrote:
On Wed, Jan 04, 2012 at 02:27:58PM -0700, Kurt Seifried wrote:On 01/03/2012 02:41 PM, Henri Salo wrote:These two WordPress security vulnerabilities from 2003 are still without CVE-identifiers. I am requesting CVE-identifiers as these issues have highly critical impact. 1) SQL injection http://osvdb.org/show/osvdb/4610Please use CVE-2003-1598 for the WordPress 0.70 ./wp-links/links.all.php SQL Injection2) Arbitrary code injection http://osvdb.org/show/osvdb/4611Please use CVE-2003-1599 for the WordPress 0.70 ./blog.header.php code injectionSecunia advisory: http://secunia.com/advisories/8954/ - Henri Salohttp://www.kernelpanik.org/docs/kernelpanik/wordpressadv.txt -- -- Kurt Seifried / Red Hat Security Response TeamThank you for the identifiers. Descriptions are switched. 4610 CVE-2003-1598 is about blog.header.php posts variable SQL injection 4611 CVE-2003-1599 is about links.all.php abspath variable RFI OSVDB already added these to the advisories, but that can be easily fixed. In future I can add files affected and correct parameters to these requests for clarity. Sorry for the confusion, but could you tell me which CVE should be used for which vulnerability? - Henri Salo
Yeah I got them switched around. The correct assignment is: 2. Descripcion. ========== WordPress 0.7 permite la ejecucion remota de comandos en ./wp-links/links.all.php. Un atacante puede inyectar una url en $abspath y obtener ejecucion remota de comandos con los privilegios del servidor web (habitualmente nobody). WordPress 0.7 allows remote execution of commands. / Wp-links / links.all.php. An attacker can inject a url in $ abspath and get remote execution of commands with the privileges of the server web (usually nobody). CVE-2003-1599 is about links.all.php abspath variable RFI ========== WordPress 0.7 (codigo de b2 cafelog) permite inyeccion sql en ./blog.header.php. $posts no se convierte a entero, por lo que podemos inyectar sql en esta variable. En MySQL 4.x podemos utilizar UNION y subselects para obtener privilegios. WordPress 0.7 (b2 cafelog code) allows SQL injection. / Blog.header.php. $ posts not converted to an integer, so we can inject sql in this variable. In MySQL 4.x can use UNION and subselects to obtain privileges. CVE-2003-1598 is about blog.header.php posts variable SQL injection ========== Since these are very old I think we can get away with switching them and not re-assigning. -- -- Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE-request: WordPress SQL injection and arbitrary code injection (2003) Henri Salo (Jan 03)
- Re: CVE-request: WordPress SQL injection and arbitrary code injection (2003) Kurt Seifried (Jan 04)
- Re: CVE-request: WordPress SQL injection and arbitrary code injection (2003) Henri Salo (Jan 06)
- Re: CVE-request: WordPress SQL injection and arbitrary code injection (2003) Kurt Seifried (Jan 06)
- Re: CVE-request: WordPress SQL injection and arbitrary code injection (2003) Henri Salo (Jan 06)
- Re: CVE-request: WordPress SQL injection and arbitrary code injection (2003) Kurt Seifried (Jan 04)