[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <E86FB219-7AB2-4579-9DFC-E8F901DCBEC6@securityminded.net>
Date: Thu, 13 Jul 2006 09:28:55 -0700
From: nate <nate@...urityminded.net>
To: bugtraq@...urityfocus.com
Subject: Re: WordPress 2.0.3 SQL Error and Full Path Disclosure
I'm currently using wordpress 2.0.2, I've been trying all of these
and have not noticed any of these working what so ever. It just
pulls up my 404 page. I am also not using the default permalink
structure, but rather date and name structure.
Just a little more information on this issue.
-nate
On Jul 12, 2006, at 8:22 PM, Aaron Newman wrote:
> I don't believe it is SQL Injection. I'm looking at version 2.0.3.
>
> The number placed in the query string does factor into the value
> inserted
> into the SQL statement. Here is another example:
>
> http://10.11.11.110/wordpress/index.php?paged=-1000
>
> WordPress database error: [You have an error in your SQL syntax;
> check the
> manual that corresponds to your MySQL server version for the right
> syntax to
> use near '-10010, 10' at line 1]
> SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
> '2006-07-13
> 02:54:59' AND (post_status = "publish" OR post_author = 1 AND
> post_status !=
> 'draft' AND post_status != 'static') AND post_status !=
> "attachment" GROUP
> BY wp_posts.ID ORDER BY post_date DESC LIMIT -10010, 10
>
> Note that the paged value is factored into the first argument of
> the LIMIT
> clause. Definition of LIMIT from the MySQL website:
> "The LIMIT clause can be used to constrain the number of rows
> returned by
> the SELECT statement. LIMIT takes one or two numeric arguments,
> which must
> both be non-negative integer constants (except when using prepared
> statements).
>
> With two arguments, the first argument specifies the offset of the
> first row
> to return, and the second specifies the maximum number of rows to
> return.
> The offset of the initial row is 0 (not 1):
>
> SELECT * FROM tbl LIMIT 5,10; # Retrieve rows 6-15"
>
> The error is actually happening because the first argument to limit
> can not
> be negative.
>
> This database call is generated in the file /wp-includes/classes.php
>
> Here it is:
>
> function &get_posts() {
> <snip>
> // Paging
> if (empty($q['nopaging']) && ! $this->is_single && !
> $this->is_page) {
> $page = $q['paged'];
> if (empty($page)) {
> $page = 1;
> }
>
> if (($q['what_to_show'] == 'posts')) {
> $pgstrt = '';
> $pgstrt = (intval($page) -1) *
> $q['posts_per_page'] . ', ';
> $limits = 'LIMIT
> '.$pgstrt.$q['posts_per_page'];
>
> In the last line, its inserting $pgstrt into the LIMIT clause.
> $pgstrt is
> set to the intval of the value submitted to the querystring - 1
> multiplied
> by the posts_per_page. According to the PHP documentation, "intval
> return
> value: The integer value of var on success, or 0 on failure." So if
> you put
> a string into $page, you are still going to get back 0, so I see no
> way of
> inserting text, spaces, or anything useful for SQL Injection in this
> particular place.
>
> Looking at this code, another opportunity for SQL injection would
> arise from
> manipulating posts_per_page. A quick scan through the code doesn't
> look like
> manipulating posts_per_page is obvious.
>
> I wonder how much security research has been done on this function.
> It looks
> pretty complicated which leaves a real opportunity for SQL
> injection to
> popup somewhere.
>
>
> Another interesting security issue I just came across with the login
> process. A failed login tells you whether it was a bad username or
> password.
> Sybase ASE 11.0 exhibited the same behavior, but they fixed it in a
> dot
> release. Oracle 8i did the same thing (although very subtely). This
> is great
> for making the end user's life easier, but it makes 1 factor
> authentication
> (passwords) even weaker then it already is (would you call it 1/2
> factor
> authentication?).
>
> It would be trivial to write a Perl script to brute-force usernames
> making a
> password attack a factor easier. Then another Perl script to brute-
> force the
> password for any discovered username. Coupled with no password
> lockout on
> Wordpress, I'll bet password attacks are way too effective on
> Wordpress.
>
> Regards,
> Aaron C. Newman
> aaroncharlesnewman@...oo.com
>
>
>
>
>
>
> -----Original Message-----
> From: zck zck [mailto:zckzck@...il.com]
> Sent: Wednesday, July 12, 2006 3:24 AM
> To: bugtraq@...urityfocus.com
> Subject: Re: WordPress 2.0.3 SQL Error and Full Path Disclosure
>
> Isn't this actually an SQL Injection rather than information leakage?
>
> Try :
> http://localhost/wordpress/index.php?paged=%27
>
> I mean, the error message (this time in English) is:
> WordPress database error: [You have an error in your SQL syntax;
> check the
> manual that corresponds to your MySQL server version for the right
> syntax to
> use near '-10, 10' at line 1]
>
> It specifically says that "You have an error in your SQL syntax",
> which
> means my input goes into the query...
>
> -----Original Message-----
> From: xzerox@...uxmail.org [mailto:xzerox@...uxmail.org]
> Sent: Sunday, July 02, 2006 12:15
> To: bugtraq@...urityfocus.com
> Subject: WordPress 2.0.3 SQL Error and Full Path Disclosure
>
> WordPress 2.0.3 SQL Error and Full Path Disclosure Discovered By zero
> [Moroccan Security Team]
> Software: WordPress 2.0.3
> Site : www.wordpress.org
>
> ~ SQL Error ~
>
> Example:
>
> http://localhost/wordpress/index.php?paged=-1
>
> Result:
>
> WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la
> ligne 1]
> SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
> '2006-06-29 12:46:59' AND (post_status = "publish") AND post_status !=
> "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT
> -20, 10
>
>
> ~ Full path ~
>
> /wp-settings.php
> /wp-admin/admin-footer.php
> /wp-admin/admin-functions.php
> /wp-admin/edit-form.php
> /wp-admin/edit-form-advanced.php
> /wp-admin/edit-form-comment.php
> /wp-admin/edit-link-form.php
> /wp-admin/edit-page-form.php
> /wp-admin/menu.php
> /wp-admin/menu-header.php
> /wp-admin/upgrade-functions.php
> /wp-admin/upgrade-schema.php
> /wp-admin/import/blogger.php
> /wp-admin/import/dotclear.php
> /wp-admin/import/livejournal.php
> /wp-admin/import/mt.php
> /wp-admin/import/rss.php
> /wp-admin/import/textpattern.php
> /wp-content/plugins/hello.php
> /wp-content/plugins/wp-db-backup.php
> /wp-content/plugins/akismet/akismet.php
> /wp-content/themes/classic/index.php
> /wp-content/themes/classic/comments.php
> /wp-content/themes/classic/comments- popup.php
> /wp-content/themes/classic/footer.php
> /wp-content/themes/classic/header.php
> /wp-content/themes/classic/sidebar.php
> /wp-content/themes/default/index.php
> /wp-content/themes/default/404.php
> /wp-content/themes/default/archive.php
> /wp-content/themes/default/archives.php
> /wp-content/themes/default/attachment.php
> /wp-content/themes/default/comments-popup.php
> /wp-content/themes/default/footer.php
> /wp-content/themes/default/functions.php
> /wp-content/themes/default/header.php
> /wp-content/themes/default/links.php
> /wp-content/themes/default/page.php
> /wp-content/themes/default/search.php
> /wp-content/themes/default/searchform.php
> /wp-content/themes/default/sidebar.php
> /wp-content/themes/default/single.php
> /wp-includes/default-filters.php
> /wp-includes/kses.php
> /wp-includes/locale.php
> /wp-includes/rss-functions.php
> /wp-includes/template-loader.php
> /wp-includes/vars.php
> /wp-includes/wp-db.php
>
>
> Greetz:
>
> simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure,
> hunter, themenotor ...
>
> Contact:
>
> Author: Mourad [ zero ]
> Email : xzerox(at)linuxmail(dot)org
Powered by blists - more mailing lists