SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: Cafelog WordPress / b2 SQL injection vulnerabilities discovered and fixed in CVS Date: Oct 3 2003 5:11AM Author: Seth Woolley Message-ID: <20031002165758.X90532@tautology.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vendor: Cafelog Product: WordPress (formerly b2) http://www.wordpress.org/ Vulnerable Versions: * CVS versions before October 1, 2003 * Vulnerability affects code inherited from b2, so all versions of wordpress released before CVS fix are affected and many versions of b2 are also affected. Description: A number of SQL injection vulnerabilities have been fixed that could allow arbitrary SQL to be injected if one has local access to the filesystem the database can access (using 'source filename.sql;'). ''', '"', '\' are all filtered, and ' ' is munged into SQL constructs before injection, so %09 (tab char) can be used where spaces would normally be in the sql string one wishes to inject. The problem affects the category (cat) and order by (order_by) code. The author (author) code was almost vulnerable, except for a small bug that misconverted author to an integer before string processing. The problems are located in the blog.header.php file, and a patch is included below (provided by the authors) that fixes the vulnerabilities and includes general bug fixes and code cleanup. Any SQL string not including quotes or a backslash can be injected through the URL (i.e. 'drop table foo;'). Patch: http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u Exploit: http://fresh.wordpress.org/index.php?cat=100)%09or%090=0%09or%09(0=1 Exploit example exposes private posts. Dropping tables should be trivial, especially using the order_by flaw. Date Discovered: Sunday, 28 Sept 2003 Dates Vendor Notified: Monday, 29 Sept 2003 - Tuesday, 30 Sept 2003 Vendor was notified of problems on Monday. On Tuesday, discoverer gave a full report of the extent of the problems via IRC. Date Fixed: Wednesday, 1 Oct 2003 Date Published: Thursday, 2 Oct 2003 Discoverer: Seth Woolley Disclaimer: I (Seth) am not a php expert, and I don't run this code, so I haven't tested the vendor-provided patch yet, although I assume the vendor has. Be advised. Acknowledgements: I would like to thank the wordpress developers for providing the patch in a timely and responsible manner (specifically Matthew Mullenweg for being my vendor contact). - -- Seth Alan Woolley , SPAM/UCE is unauthorized Key id 7BEACC7D = 2978 0BD1 BA48 B671 C1EB 93F7 EDF4 3CDF 7BEA CC7D Full Key at seth.tautology.org and pgp.mit.edu. info: www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/fQTz7fQ833vqzH0RAreJAJ0YzWPNFp4aqWrKnFJnFMo8HkiduwCeOPd/ sUqIIAbtDJ6iA8r4HOor4LU= =Qwy4 -----END PGP SIGNATURE----- Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus