[UNIX] WordPress Multiple Vulnerability (wp-trackback.php)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/23/05

  • Next message: SecuriTeam: "[NEWS] Scottrader Unchecked Password Field" 
    To: list@securiteam.com
Date: 23 May 2005 17:47:23 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      WordPress Multiple Vulnerability (wp-trackback.php)
    ------------------------------------------------------------------------

    SUMMARY

     <http://wordpress.org/> WordPress is "a state-of-the-art semantic
    personal publishing platform with a focus on aesthetics, web standards,
    and usability".

    Multiple security vulnerabilities have been found in WordPress, the
    vulnerabilities range from a password revealing SQL injection, through
    cross site scripting vulnerabilities to path disclosure issues.

    DETAILS

    Vulnerable Systems:
     * WordPress version 1.5 and prior

    Immune Systems:
     * WordPress version 1.5.1 or newer

    SQL Injection:
    The most critical vulnerability in the 1.5 release of wordpress is an
    SQL-Injection in `wp-trackback.php'. It's not easily exploitable because
    you do not get a result when you inject a valid query but it's possible to
    brute force values in the tables - for example the password hashes.

    Here some details:
    The parameter `tb_id' in `wp-trackback.php' is not validated correctly and
    there are no quotes in the SQL-query so an attacker is able to insert SQL
    commands.

    $pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts WHERE
    ID = $tb_id");

    Example:
    > $tb_id = 1 union select user_pass,0 from wp_users
    > $url = bla
    > $title = bla

    </wp-trackback.php?tb_id=1 union select 0,user_pass from
    wp_users&url=bla&title=bla>

    By injecting this query we get following database error:
    > WordPress database error:
    > [The used SELECT statements have a different number of columns]
    > SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0,
    > user_pass from wp_users

    When we insert "1 union select user_pass from wp_users" as value for
    `tb_id' we get no error message because the query was well-formed -
    logical. Through the possibility to insert any SQL-command it's possible
    to 'reconstruct' values of the tables.

    XSS:
    The following two URLs can be used to trigger the cross site scripting
    vulnerability on the remote host:
    http://vulnerable/wp-admin/edit.php?s=[XSS]&submit=Search
    http://vulnerable/wp-admin/post.php?action=confirmdeletecomment
    &comment=1&p=[XSS]

    Path Disclosure:
    The following three URLs can be used to trigger the path disclosure
    vulnerability on the remote host:
    http://vulnerable/wordpress-1.5-strayhorn/wp-content/themes/*
    http://vulnerable/wordpress-1.5-strayhorn/wp-includes/*
    http://vulnerable/wordpress-1.5-strayhorn/wp-admin/*

    > Fatal error: Call to undefined function add_filter() in
    > [...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/
    > wp-content/themes/classic/comments-popup.php on line 3

    Solution:
    Upgrade to WordPress version 1.5.1 or newer.

    Disclosure Timeline:
    17 Apr 05 - Security flaws discovered
    19 Apr 05 - Vendor contacted
    10 May 05 - Vendor released bugfixed version
    17 May 05 - Public release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:bugtraq@morph3us.org> Thomas
    Waldegger.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Scottrader Unchecked Password Field"

    Relevant Pages
    • Quantcast