lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 5 Apr 2007 23:49:15 +0100
From: "Sumit Siddharth" <sumit.siddharth@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Wordpress 2.1.2 xmlrpc Vulnerabilities

Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:

*Affected Versions*: These issues were reported in version 2.1.2 and its
very likely that previous versions may also be vulnerable.

1.* Privilidge Escalation*:

Under normal circumstances (through web interface) a user in contributor
role only has access to following functions:

a. read
b. edit_posts

functionality 'publish_posts' is restricted to users in the author, editor
or administrator roles. However, this is not implemented in xmlrpc.php and
this allows a user in the contributor roles to publish a previously saved
post to the website.

No exploit code is required.

2. *SQL Injection*:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to
the backend database which results in a Sql injection. Exploiting this is
pretty trivial. As, it is an integer based injection, it works irrespective
of the setting "magic quote".  I wrote a Simple Proof Of Concept for this.
Download Exploit<http://www.notsosecure.com/folder2/wp-content/uploads/2007/04/wp-xmlrpc-sql.pl>
—————————————————–

*Successful Exploitation* of this will give you usernames and md5 hash of
password of all users including admin user. Once you have the admin user
hash needless to say you can create a php backdoor and that essentialy is
game over.

**[image: :-)]

*Workaround*:
1. Disable xmlrpc if you dont use it or restrict its access to trusted users
only.

*Vendor's response:*
1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007

-- 
Sumit Siddharth
www.notsosecure.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ