BlogSecurity » Blog Archive » Wordpress 2.3.1 Charset SQL Injection Vulnerability

Wordpress 2.3.1 Charset SQL Injection Vulnerability

Filed Under (Advisories, WordPress) by DK on 11 December 2007

Abel Cheung has discovered yet another vulnerability in WordPress.

It is found that the search function provided within WordPress fails to
sanitize input based on different character sets. So if WordPress tries
to query MySQL database using certain specific character sets, WordPress
search function is exploitable using charset-based SQL injection.

Currently known character sets exploitable include Big5 and GBK (see your wp-config.php, as this will mainly affect Chinese blogs). All of them may use backslash (’\') as part of multibyte character. WordPress with MySQL database created any other character sets fulfilling such property may also be exploitable.

Workaround: This vulnerability only exists for database queries performed
using certain character sets. For databases created in most other
character sets no remedy is needed.

a. It is recommended to convert WordPress database to use character sets not vulnerable to such SQL exploit. One such charset is UTF-8, which does not use backslash (’\') as part of character and it supports various languages.
b. Alternatively, edit WordPress theme to remove search capability.

The full advisory is available here.

Thanks to Abel for keeping us in the loop, and great find.

Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Comments

Flo on 11 December, 2007 at 7:44 pm #

I doubt that removing search from the theme would help much. One could still trigger the search (and therefore the exploit) over the URL, even if no results were shown.

Philipp on 11 December, 2007 at 8:00 pm #

I can’t talk for Abel, but mostly I believe he’s aiming at removing it in such a way that it’s not working at all anymore(although no direct link to it)

Abel Cheung on 11 December, 2007 at 9:08 pm #

My stupidity. Although I originally intend to say removing the function entirely, it was written in such bad way that, the meaning end up like what Flo said. Will update advisory soon.

Wordpress 2.3.1 Charset SQL Injection Vulnerability | MySQL Security on 12 December, 2007 at 7:55 am #

[…] more from the original source: Wordpress 2.3.1 Charset SQL Injection Vulnerability ftp securityftp securityRelated Posts [waraxe-2007-SA#059] - XSS in WordPress […]

BlogSecurity » Blog Archive » WordPress Insecure by Design? on 22 January, 2008 at 9:47 pm #

[…] security and exploit a UTF-7 SQL Injection exploit some time ago. Another example of this, was Abel Cheung’s Charset SQL Injection vulnerability, published last month (which in theory should still be […]

Comment

Search site:
Welcome to BlogSecurity
- BlogSec is the only organization that deals with social networking and web blog security exclusively.
- Meet the team
- Post/Read News
Secure WordPress
Recent Posts
What you enjoy on BlogSec
- Latest blog news and projects
- Details of recent vulnerabilities
- BlogSec security projects and related content
- Non-technical and general articles
View Results

Name:
Email:
Website:
Message:

Comments

Welcome to BlogSecurity

Secure WordPress

Recent Posts

What you enjoy on BlogSec

Additional WP Resources

Recent Comments

Posts by Category