Wordpress 2.3.1 Charset SQL Injection Vulnerability
Abel Cheung has discovered yet another vulnerability in WordPress.
It is found that the search function provided within WordPress fails to
sanitize input based on different character sets. So if WordPress tries
to query MySQL database using certain specific character sets, WordPress
search function is exploitable using charset-based SQL injection.
Currently known character sets exploitable include Big5 and GBK (see your wp-config.php, as this will mainly affect Chinese blogs). All of them may use backslash (’\') as part of multibyte character. WordPress with MySQL database created any other character sets fulfilling such property may also be exploitable.
Workaround: This vulnerability only exists for database queries performed
using certain character sets. For databases created in most other
character sets no remedy is needed.
- a. It is recommended to convert WordPress database to use character sets not vulnerable to such SQL exploit. One such charset is UTF-8, which does not use backslash (’\') as part of character and it supports various languages.
- b. Alternatively, edit WordPress theme to remove search capability.
The full advisory is available here.
Thanks to Abel for keeping us in the loop, and great find.
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
I can’t talk for Abel, but mostly I believe he’s aiming at removing it in such a way that it’s not working at all anymore(although no direct link to it)
My stupidity. Although I originally intend to say removing the function entirely, it was written in such bad way that, the meaning end up like what Flo said. Will update advisory soon.
[...] more from the original source: Wordpress 2.3.1 Charset SQL Injection Vulnerability ftp securityftp securityRelated Posts [waraxe-2007-SA#059] – XSS in WordPress [...]
[...] security and exploit a UTF-7 SQL Injection exploit some time ago. Another example of this, was Abel Cheung’s Charset SQL Injection vulnerability, published last month (which in theory should still be [...]
I doubt that removing search from the theme would help much. One could still trigger the search (and therefore the exploit) over the URL, even if no results were shown.