lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 20 May 2005 03:52:58 -0000
From: Thomas Waldegger <>
Subject: [BuHa Security] Wordpress SQL-Injection

| BuHa Security-Advisory #1     |    May 17th, 2005 |
| Vendor   | Wordpress                              |
| URL      |                  |
| Version  | <= Wordpress 1.5                       |
| Risk     | Moderate (SQL-Injection)               |
o Description:

WordPress is a state-of-the-art semantic personal publishing platform
with a focus on aesthetics, web standards, and usability. 

Visit for detailed information.

o SQL-Injection:

The most critical vulnerability in the 1.5 release of wordpress is an
SQL-Injection in `wp-trackback.php'. It's not easily exploitable
because you do not get a result when you inject a valid query but it's
possible to bruteforce values in the tables - for example the password

Here some details:
The parameter `tb_id' in `wp-trackback.php' is not validated correctly
and there are no quotes in the SQL-query so an attacker is able to 
insert sql commands.

$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts
WHERE ID = $tb_id");
Example: (I converted the POST-request into a GET-request.)

> $tb_id = 1 union select user_pass,0 from wp_users
> $url = bla
> $title = bla


By injecting this query I get following databae error:

> WordPress database error:
> [The used SELECT statements have a different number of columns]
> SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0, 
> user_pass from wp_users

When I insert "1 union select user_pass from wp_users" as value for
`tb_id' I get no error message because the query was well-formed -
logical. Through the possibility to insert any sql-command it's
possible to 'reconstruct' values of the tables.

o XSS:


o Path Disclosure:


> Fatal error: Call to undefined function add_filter() in
> [...]/htdocs/testenv/blogs/wordpress/wordpress-1.5-strayhorn/
> wp-content/themes/classic/comments-popup.php on line 3

o Disclosure Timeline:

17 Apr 05 - Security flaws discovered.
19 Apr 05 - Vendor contacted.
10 May 05 - Vendor released bugfixed version.
17 May 05 - Public release.

o Solution:

Upgrade to wordpress 1.5.1 [1]

o Credits:

Thomas Waldegger <>
BuHa-Security Community -


Powered by blists - more mailing lists