Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] WordPress Multiple Vulnerability (wp-trackback.php)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] WordPress Multiple Vulnerability (wp-trackback.php)
Date: 23 May 2005 17:47:23 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  WordPress Multiple Vulnerability (wp-trackback.php)
------------------------------------------------------------------------


SUMMARY

 <http://wordpress.org/> WordPress is "a state-of-the-art semantic 
personal publishing platform with a focus on aesthetics, web standards, 
and usability".

Multiple security vulnerabilities have been found in WordPress, the 
vulnerabilities range from a password revealing SQL injection, through 
cross site scripting vulnerabilities to path disclosure issues.

DETAILS

Vulnerable Systems:
 * WordPress version 1.5 and prior

Immune Systems:
 * WordPress version 1.5.1 or newer

SQL Injection:
The most critical vulnerability in the 1.5 release of wordpress is an 
SQL-Injection in `wp-trackback.php'. It's not easily exploitable because 
you do not get a result when you inject a valid query but it's possible to 
brute force values in the tables - for example the password hashes.

Here some details:
The parameter `tb_id' in `wp-trackback.php' is not validated correctly and 
there are no quotes in the SQL-query so an attacker is able to insert SQL 
commands.

$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE 
ID = $tb_id");

Example:

$tb_id = 1 union select user_pass,0 from wp_users
$url = bla
$title = bla


</wp-trackback.php?tb_id=1 union select 0,user_pass from 
wp_users&url=bla&title=bla>

By injecting this query we get following database error:

WordPress database error:
[The used SELECT statements have a different number of columns]
SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0,
user_pass from wp_users


When we insert "1 union select user_pass from wp_users" as value for 
`tb_id' we get no error message because the query was well-formed - 
logical. Through the possibility to insert any SQL-command it's possible 
to 'reconstruct' values of the tables.

XSS:
The following two URLs can be used to trigger the cross site scripting 
vulnerability on the remote host:
http://vulnerable/wp-admin/edit.php?s=[XSS]&submit=Search
http://vulnerable/wp-admin/post.php?action=confirmdeletecomment 
&comment=1&p=[XSS]

Path Disclosure:
The following three URLs can be used to trigger the path disclosure 
vulnerability on the remote host:
http://vulnerable/wordpress-1.5-strayhorn/wp-content/themes/*
http://vulnerable/wordpress-1.5-strayhorn/wp-includes/*
http://vulnerable/wordpress-1.5-strayhorn/wp-admin/*


Fatal error: Call to undefined function add_filter() in
[...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/
wp-content/themes/classic/comments-popup.php on line 3


Solution:
Upgrade to WordPress version 1.5.1 or newer.

Disclosure Timeline:
17 Apr 05 - Security flaws discovered
19 Apr 05 - Vendor contacted
10 May 05 - Vendor released bugfixed version
17 May 05 - Public release


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bugtraq@morph3us.org> Thomas 
Waldegger.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] WordPress Multiple Vulnerability (wp-trackback.php), SecuriTeam <=
Previous by Date:  [EXPL] GLD Remote Format String Vulnerability (client_address, Exploit), SecuriTeam
Next by Date:  [NEWS] Scottrader Unchecked Password Field, SecuriTeam
Previous by Thread:  [EXPL] GLD Remote Format String Vulnerability (client_address, Exploit), SecuriTeam
Next by Thread:  [NEWS] Scottrader Unchecked Password Field, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]