lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 12 Jul 2006 23:22:20 -0400
From: "Aaron Newman" <aaroncharlesnewman@...oo.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: WordPress 2.0.3 SQL Error and Full Path Disclosure


I don't believe it is SQL Injection. I'm looking at version 2.0.3. 

The number placed in the query string does factor into the value inserted
into the SQL statement. Here is another example:

http://10.11.11.110/wordpress/index.php?paged=-1000

WordPress database error: [You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax to
use near '-10010, 10' at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2006-07-13
02:54:59' AND (post_status = "publish" OR post_author = 1 AND post_status !=
'draft' AND post_status != 'static') AND post_status != "attachment" GROUP
BY wp_posts.ID ORDER BY post_date DESC LIMIT -10010, 10

Note that the paged value is factored into the first argument of the LIMIT
clause. Definition of LIMIT from the MySQL website:
"The LIMIT clause can be used to constrain the number of rows returned by
the SELECT statement. LIMIT takes one or two numeric arguments, which must
both be non-negative integer constants (except when using prepared
statements). 

With two arguments, the first argument specifies the offset of the first row
to return, and the second specifies the maximum number of rows to return.
The offset of the initial row is 0 (not 1): 

SELECT * FROM tbl LIMIT 5,10;  # Retrieve rows 6-15"

The error is actually happening because the first argument to limit can not
be negative.

This database call is generated in the file /wp-includes/classes.php

Here it is:

function &get_posts() {
<snip>
		// Paging
		if (empty($q['nopaging']) && ! $this->is_single && !
$this->is_page) {
			$page = $q['paged'];
			if (empty($page)) {
				$page = 1;
			}

			if (($q['what_to_show'] == 'posts')) {
				$pgstrt = '';
				$pgstrt = (intval($page) -1) *
$q['posts_per_page'] . ', ';
				$limits = 'LIMIT
'.$pgstrt.$q['posts_per_page'];

In the last line, its inserting $pgstrt into the LIMIT clause. $pgstrt is
set to the intval of the value submitted to the querystring - 1 multiplied
by the posts_per_page. According to the PHP documentation, "intval return
value: The integer value of var on success, or 0 on failure." So if you put
a string into $page, you are still going to get back 0, so I see no way of
inserting text, spaces, or anything useful for SQL Injection in this
particular place.

Looking at this code, another opportunity for SQL injection would arise from
manipulating posts_per_page. A quick scan through the code doesn't look like
manipulating posts_per_page is obvious. 

I wonder how much security research has been done on this function. It looks
pretty complicated which leaves a real opportunity for SQL injection to
popup somewhere.


Another interesting security issue I just came across with the login
process. A failed login tells you whether it was a bad username or password.
Sybase ASE 11.0 exhibited the same behavior, but they fixed it in a dot
release. Oracle 8i did the same thing (although very subtely). This is great
for making the end user's life easier, but it makes 1 factor authentication
(passwords) even weaker then it already is (would you call it 1/2 factor
authentication?). 

It would be trivial to write a Perl script to brute-force usernames making a
password attack a factor easier. Then another Perl script to brute-force the
password for any discovered username. Coupled with no password lockout on
Wordpress, I'll bet password attacks are way too effective on Wordpress.

Regards,
Aaron C. Newman
aaroncharlesnewman@...oo.com






-----Original Message-----
From: zck zck [mailto:zckzck@...il.com] 
Sent: Wednesday, July 12, 2006 3:24 AM
To: bugtraq@...urityfocus.com
Subject: Re: WordPress 2.0.3 SQL Error and Full Path Disclosure

Isn't this actually an SQL Injection rather than information leakage?

Try :
http://localhost/wordpress/index.php?paged=%27

I mean, the error message (this time in English) is:
WordPress database error: [You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax to
use near '-10, 10' at line 1]

It specifically says that "You have an error in your SQL syntax", which
means my input goes into the query...

-----Original Message-----
From: xzerox@...uxmail.org [mailto:xzerox@...uxmail.org]
Sent: Sunday, July 02, 2006 12:15
To: bugtraq@...urityfocus.com
Subject: WordPress 2.0.3 SQL Error and Full Path Disclosure

WordPress 2.0.3 SQL Error and Full Path Disclosure Discovered By zero
[Moroccan Security Team]
Software: WordPress 2.0.3
Site : www.wordpress.org

~ SQL Error ~

Example:

http://localhost/wordpress/index.php?paged=-1

Result:

WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la ligne 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
'2006-06-29 12:46:59' AND (post_status = "publish") AND post_status !=
"attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -20, 10


~ Full path ~

/wp-settings.php
/wp-admin/admin-footer.php
/wp-admin/admin-functions.php
/wp-admin/edit-form.php
/wp-admin/edit-form-advanced.php
/wp-admin/edit-form-comment.php
/wp-admin/edit-link-form.php
/wp-admin/edit-page-form.php
/wp-admin/menu.php
/wp-admin/menu-header.php
/wp-admin/upgrade-functions.php
/wp-admin/upgrade-schema.php
/wp-admin/import/blogger.php
/wp-admin/import/dotclear.php
/wp-admin/import/livejournal.php
/wp-admin/import/mt.php
/wp-admin/import/rss.php
/wp-admin/import/textpattern.php
/wp-content/plugins/hello.php
/wp-content/plugins/wp-db-backup.php
/wp-content/plugins/akismet/akismet.php
/wp-content/themes/classic/index.php
/wp-content/themes/classic/comments.php
/wp-content/themes/classic/comments- popup.php
/wp-content/themes/classic/footer.php
/wp-content/themes/classic/header.php
/wp-content/themes/classic/sidebar.php
/wp-content/themes/default/index.php
/wp-content/themes/default/404.php
/wp-content/themes/default/archive.php
/wp-content/themes/default/archives.php
/wp-content/themes/default/attachment.php
/wp-content/themes/default/comments-popup.php
/wp-content/themes/default/footer.php
/wp-content/themes/default/functions.php
/wp-content/themes/default/header.php
/wp-content/themes/default/links.php
/wp-content/themes/default/page.php
/wp-content/themes/default/search.php
/wp-content/themes/default/searchform.php
/wp-content/themes/default/sidebar.php
/wp-content/themes/default/single.php
/wp-includes/default-filters.php
/wp-includes/kses.php
/wp-includes/locale.php
/wp-includes/rss-functions.php
/wp-includes/template-loader.php
/wp-includes/vars.php
/wp-includes/wp-db.php


Greetz:

simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure,
hunter, themenotor ...

Contact:

Author: Mourad [ zero ]
Email : xzerox(at)linuxmail(dot)org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ