Full Disclosure mailing list archives
Wordpress 2.1.2 xmlrpc Vulnerabilities
From: "Sumit Siddharth" <sumit.siddharth () gmail com>
Date: Thu, 5 Apr 2007 23:49:15 +0100
Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities: *Affected Versions*: These issues were reported in version 2.1.2 and its very likely that previous versions may also be vulnerable. 1.* Privilidge Escalation*: Under normal circumstances (through web interface) a user in contributor role only has access to following functions: a. read b. edit_posts functionality 'publish_posts' is restricted to users in the author, editor or administrator roles. However, this is not implemented in xmlrpc.php and this allows a user in the contributor roles to publish a previously saved post to the website. No exploit code is required. 2. *SQL Injection*: This is only exploitable by authenticated users. The post_id parameter is not properly sanitized before passing its value to the backend database which results in a Sql injection. Exploiting this is pretty trivial. As, it is an integer based injection, it works irrespective of the setting "magic quote". I wrote a Simple Proof Of Concept for this. Download Exploit<http://www.notsosecure.com/folder2/wp-content/uploads/2007/04/wp-xmlrpc-sql.pl> —————————————————– *Successful Exploitation* of this will give you usernames and md5 hash of password of all users including admin user. Once you have the admin user hash needless to say you can create a php backdoor and that essentialy is game over. **[image: :-)] *Workaround*: 1. Disable xmlrpc if you dont use it or restrict its access to trusted users only. *Vendor's response:* 1. vendor notified on 22nd March 2007. 2. New Version released on 2nd April 2007. 3. Advisory released on 2nd April 2007 -- Sumit Siddharth www.notsosecure.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Wordpress 2.1.2 xmlrpc Vulnerabilities Sumit Siddharth (Apr 05)