Update: 10/12/07 This vulnerability has been downgraded to an information disclosure vulnerability ONLY as no proof of concept exploit has been possible. This is contrary to the original advisory. More info here.
A new SQL Injection vulnerability may have been discovered in WordPress 2.3.1. This is a critical security risk that may allow an attacker to remotely compromise your blog.
Test your blog (proof of concept):
POC = http://localhost/path_to_wordpress/?feed=rss2&p=1
Currently, the BlogSec team are unaware of a patch. Please keep an eye on this post for updates.
The original advisory can be found here.
Beenu Arora has been credited for finding the vulnerability.
Thanks to Mustlive for bringing it to our attention.
Comments
Yet another reason to use WPIDS or WP-IDS or another WP derivate of the PHPIDS :)
PoC:
http://preview.tinyurl.com/25b32m
Greetings,
.mario
Have you been able to reproduce that bug?
As far as I know, it only shows a SQL error for invalid posts — I fixed that bug in my own blog two months ago based on the following Trac ticket:
http://trac.wordpress.org/ticket/5185
I’m not sure if it’s the best idea, but you can use redirection to send anything for /?feed=rss2&p=1 to /feed :)
… correction: Actually I think /?feed=rss2&p=1 should be /?feed=rss2&p=(.*)
[…] (2.3.1) connaît apparemment une faille très grave de type injection SQL, c’est le site blogsecurity qui nous l’apprend, l’alerte d’origine se trouve à cette […]
Mod-Security should do it. At least I could not reproduce this with wp 2.3.1 and modsec.
I’ll ask the same thing Alex did. Have you actually tried this?
At best I’ve only been able to generate a SQL error.
[…] ist mal wieder so weit. Es gibt eine SQL Injection. Aktuell soll es noch keinen Patch geben. Evtl. kann aber dieses hier helfen. Ansonsten hilft ein […]
I’m unable to reproduce this as well. Maybe it only works on specific versions of MySQL.
It would better to try to reproduce the vulnerability before posting it on your blog. A lot of lamers are posting crap on security lists without testing or even understanding what they found. Don’t help them get more attention.
Yet another “OMG SQL HAX VULNERABILITY” critical alert that I cannot reproduce on any of my blogs, running on different software combinations.
The sad thing is that everybody’s relaying this information. The saddest thing is that the so called experts who found this bother as usual more about exposure than sharing their findings with developpers. This is pathetic.
[…] recent WordPress information disclosure vulnerability demonstrates the potential dangers of having these error messages displayed to the user. It leaks […]
[…] Blog Security - WordPress information disclosure vulnerability […]
[…] necessitated an urgent security release. Wordpress 2.3.2 is now available. One of the problem is a SQL Injection Vulnerability that exposes internal information about your Wordpress installation. These are common problems that […]
[…] btw: 很早前我就看到了 WP 2.3.1 SQL 注入的漏洞,并且测试了几个 Blog 确实管用 -_-b。考虑到安全问题,没有报道。现在有了解决办法,说出来也无妨了。如果您需要了解细节,转向到这里来看 […]
[…] otherz: Remote SQL inyection on Wordpress 2.3.1 […]
Actually, this “hack” allows to gather enough information to launch another attack and gain admin privileges :-) For 2.3.x branch.
Sorry, I won’t publish details.
-
Search site:
-
Additional WP Resources
