Wordpress disclosure of Table Prefix Weakness
- From: process@xxxxxxxxx
- Date: 12 Jan 2007 01:32:47 -0000
Wordpress Full Path disclosure and disclosure of Table Prefix Weakness
WordPress 2.1Alpha 3(SVN:4662)
xy7 has discovered a weakness in WordPress, which can be exploited by
malicious people to disclose SQL information and Wordpress Full Path.
The problem is that SQL error messages are returned to the user. This can
be exploited to disclose the configured table prefix via an invalid "m"
parameter passed in index.php.
You will see return information like this:
Warning: rawurlencode() expects parameter 1 to be string, array given in
[path]\wp-includes\classes.php on line 227
WordPress 数据库错误: [Unknown column 'Arra' in 'where clause']
SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND YEAR
(post_date)=Arra AND (post_type = 'post' AND (post_status = 'publish' OR
post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10
Edit the source use is_array() function to Inspection Var "$m"
Provided and/or discovered by:
Xy7 of Bug.Center.Team found the vulnerability
- Prev by Date: Re: [Full-disclosure] Web Honeynet Project: announcement,
- Next by Date: seeking comments on disclosure articles
- Previous by thread: [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities
- Next by thread: seeking comments on disclosure articles