[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20110706135903.GA3026@foo.fgeek.fi>
Date: Wed, 6 Jul 2011 16:59:03 +0300
From: Henri Salo <henri@...v.fi>
To: security@...omattic.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: SEC Consult SA-20110701-0 :: Multiple SQL
injection vulnerabilities in WordPress
On Fri, Jul 01, 2011 at 11:23:40AM +0200, SEC Consult Vulnerability Lab wrote:
> SEC Consult Vulnerability Lab Security Advisory < 20110701-0 >
> =======================================================================
> title: Multiple SQL Injection Vulnerabilities
> product: WordPress
> vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions
> fixed version: 3.1.4/3.2-RC3
> impact: Medium
> homepage: http://wordpress.org/
> found: 2011-06-21
> by: K. Gudinavicius
> SEC Consult Vulnerability Lab
> https://www.sec-consult.com
> =======================================================================
>
> Vendor description:
> -------------------
> "WordPress was born out of a desire for an elegant, well-architectured
> personal publishing system built on PHP and MySQL and licensed under
> the GPLv2 (or later). It is the official successor of b2/cafelog.
> WordPress is fresh software, but its roots and development go back to
> 2001."
>
> Source: http://wordpress.org/about/
>
>
>
> Vulnerability overview/description:
> -----------------------------------
> Due to insufficient input validation in certain functions of WordPress
> it is possible for a user with the "Editor" role to inject arbitrary
> SQL commands. By exploiting this vulnerability, an attacker gains
> access to all records stored in the database with the privileges of the
> WordPress database user.
>
>
>
> Proof of concept:
> -----------------
> 1) The get_terms() filter declared in the wp-includes/taxonomy.php file
> does not properly validate user input, allowing an attacker with
> "Editor" privileges to inject arbitrary SQL commands in the "orderby"
> and "order" parameters passed as array members to the vulnerable filter
> when sorting for example link categories.
>
> The following URLs could be used to perform blind SQL injection
> attacks:
>
> http://localhost/wp-admin/edit-tags.php?taxonomy=link_category&orderby=[SQL
> injection]&order=[SQL injection]
> http://localhost/wp-admin/edit-tags.php?taxonomy=post_tag&orderby=[SQL
> injection]&order=[SQL injection]
> http://localhost/wp-admin/edit-tags.php?taxonomy=category&orderby=[SQL
> injection]&order=[SQL injection]
>
>
> 2) The get_bookmarks() function declared in the
> wp-includes/bookmark.php file does not properly validate user input,
> allowing an attacker with "Editor" privileges to inject arbitrary SQL
> commands in the "orderby" and "order" parameters passed as array
> members to the vulnerable function when sorting links.
>
> The following URL could be used to perform blind SQL injection attacks:
>
> http://localhost/wp-admin/link-manager.php?orderby=[SQL
> injection]&order=[SQL injection]
>
>
> Vulnerable / tested versions:
> -----------------------------
> The vulnerability has been verified to exist in version 3.1.3 of
> WordPress, which is the most recent version at the time of discovery.
>
>
> Vendor contact timeline:
> ------------------------
> 2011-06-22: Contacting vendor through security@...dpress.org
> 2011-06-22: Vendor reply, sending advisory draft
> 2011-06-23: Vendor confirms security issue
> 2011-06-30: Vendor releases patched version
> 2011-07-01: SEC Consult publishes advisory
>
>
>
> Solution:
> ---------
> Upgrade to version 3.1.4 or 3.2-RC3
>
>
> Workaround:
> -----------
> A more restrictive role, e.g. "Author", could be applied to the user.
>
>
>
> Advisory URL:
> -------------
> https://www.sec-consult.com/en/advisories.html
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> SEC Consult Unternehmensberatung GmbH
>
> Office Vienna
> Mooslackengasse 17
> A-1190 Vienna
> Austria
>
> Tel.: +43 / 1 / 890 30 43 - 0
> Fax.: +43 / 1 / 890 30 43 - 25
> Mail: research at sec-consult dot com
> https://www.sec-consult.com
>
> EOF K. Gudinavicius / @2011
Does Wordpress people know if this issue has CVE-identifier already? At least author of the advisory didn't request one nor did I could find one from lists / web.
References:
http://secunia.com/advisories/45099/
http://wordpress.org/news/2011/06/wordpress-3-1-4/
This is also not listed in osvdb, which I can handle after we receive CVE-identifier.
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists