Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 93355 - wordpress <1.5 SQL injection
Summary: wordpress <1.5 SQL injection
Status: RESOLVED DUPLICATE of bug 88926
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-20 11:56 UTC by Rajiv Aaron Manglani (RETIRED)
Modified: 2005-05-21 02:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rajiv Aaron Manglani (RETIRED) gentoo-dev 2005-05-20 11:56:26 UTC
From: 	  bugtraq@morph3us.org
	Subject: 	[BuHa Security] Wordpress SQL-Injection
	Date: 	May 19, 2005 11:52:58 PM EDT
	To: 	  bugtraq@securityfocus.com



 ---------------------------------------------------
| BuHa Security-Advisory #1     |    May 17th, 2005 |
 ---------------------------------------------------
| Vendor   | Wordpress                              |
| URL      | http://wordpress.org/                  |
| Version  | <= Wordpress 1.5                       |
| Risk     | Moderate (SQL-Injection)               |
 ---------------------------------------------------

o Description:
=============

WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability. 

Visit http://wordpress.org/ for detailed information.

o SQL-Injection:
===============

The most critical vulnerability in the 1.5 release of wordpress is an
SQL-Injection in `wp-trackback.php'. It's not easily exploitable
because you do not get a result when you inject a valid query but it's
possible to bruteforce values in the tables - for example the password
hashes.

Here some details:
The parameter `tb_id' in `wp-trackback.php' is not validated correctly
and there are no quotes in the SQL-query so an attacker is able to 
insert sql commands.

$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts
WHERE ID = $tb_id");
	
Example: (I converted the POST-request into a GET-request.)

$tb_id = 1 union select user_pass,0 from wp_users
$url = bla
$title = bla

</wp-trackback.php?tb_id=1%20union%20select%200,user_pass%20from%20
wp_users&url=bla&title=bla>

By injecting this query I get following databae error:

WordPress database error:
[The used SELECT statements have a different number of columns]
SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0, 
user_pass from wp_users

When I insert "1 union select user_pass from wp_users" as value for
`tb_id' I get no error message because the query was well-formed -
logical. Through the possibility to insert any sql-command it's
possible to 'reconstruct' values of the tables.

o XSS:
=====

</wp-admin/edit.php?s=[XSS]&submit=Search>
</wp-admin/post.php?action=confirmdeletecomment&comment=1&p=[XSS]>

o Path Disclosure:
=================

</wordpress-1.5-strayhorn/wp-content/themes/*>
</wordpress-1.5-strayhorn/wp-includes/*>
</wordpress-1.5-strayhorn/wp-admin/*>

Fatal error: Call to undefined function add_filter() in
[...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/
wp-content/themes/classic/comments-popup.php on line 3

o Disclosure Timeline:
=====================

17 Apr 05 - Security flaws discovered.
19 Apr 05 - Vendor contacted.
10 May 05 - Vendor released bugfixed version.
17 May 05 - Public release.

o Solution:
==========

Upgrade to wordpress 1.5.1 [1]

o Credits:
=========

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

[1] http://wordpress.org/development/2005/05/one-five-one/
Comment 1 Aaron Walker (RETIRED) gentoo-dev 2005-05-20 18:31:28 UTC
bug 88926
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-05-21 02:18:02 UTC

*** This bug has been marked as a duplicate of 88926 ***