www.notsosecure.com

I recently came across this security advisory and decided to find out what the undisclosed issues could be. I downloaded wordpress 2.0 to find these undisclosed issues. Why i am interested in wordpress 2.0 is a different story though.
It was trivial to figure out that this version has no protection against CSRF attacks. the file wp-admin/options-reading.php has a parameter posts_per_rss that seems to have been left unsanitized. It is possible to make an admin submit (via csrf) a malicious value of this paramter which will eventually result in a database error. However, the injections seems really difficult to exploit.

example:-http://192.168.1.183:80/apache2-default/wordpress/?feed=rss2

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2007-01-08 04:12:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 10'

As the injection point is after Limit and because of the Order By clause, i think it is not exploitable.
If you think it is indeed exploitable drop me an email now...

Windows Server 2003 can be configured to restrict the hours and days that a user may log on to a Windows Server 2003 domain. This could lead to username enumeration.

Issue:- Microsoft Windows Active Directory Username Enumeration

Criticality:- Less Critical

Impact:- Exposure of system information

Description:- It has been identified that the Microsoft windows Active
Directory contains a flaw that may lead to an unauthorized information
disclosure. The issue is triggered when the Windows Domain Controller
returns different error messages depending on if a valid username was
supplied via windows terminal services. This only happens for the
user accounts that have time restrictions set and when these accounts
are accessed during restricted time. This can be exploited to help
enumerate valid usernames resulting in a loss of confidentiality.

Vendors response:-
“We will NOT be issuing a security update for this issue.
It is likely that in a next version or service pack of the product we may consider making changes, but not before then”.

Screenshots:
1. Error returned When Account is Accessed at Restricted time
2. Error returned When Account is Accessed at Permitted time

——————————————
Advert: Download expert 000-101 questions, 000-102 study guide and 000-200 practice test to ensure your success in exams.

Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:

Affected Versions: These issues were reported in version 2.1.2,(current stable version) and its very likely that previous versions may also be vulnerable.

1. Privilidge Escalation:

Under normal circumstances (through web interface) a user in contributor role only has access to following functions:

a. read
b. edit_posts

functionality ‘publish_posts’ is restricted to users in the author, editor or administrator roles. However, this is not implemented in xmlrpc.php and this allows a user in the contributor roles to publish a previously saved post to the website.

No exploit code is required.

2. SQL Injection:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to the backend database which results in a Sql injection. Exploiting this is pretty trivial. As, it is an integer based injection, it works irrespective of the setting “magic quote”. . I wrote a Simple Proof Of Concept for this.
Download Exploit
—————————————————–

—————————————————–

Successful Exploitation of this will give you usernames and md5 hash of password of all users including admin user. Before you run mdcrack on this hash, read my previous post on wordpress cookies as this will save your time.
Once you have the admin user hash needless to say you can create a php backdoor and that essentialy is game over.

About Poc:
The poc demonstrates how critical SQL injection vulnerabilities can be. In this example,the poc goes beyond obtaining admin hashes. It also returns the username and encrypted password of the mysql user(s). If the database is running as privilidged user, this will also try to fetch the /etc/passwd file, or any other file for that matter. As this injection is in an integer field it works irrespective of the setting magic quote

Workaround:
1. Disable xmlrpc if you dont use it or restrict its access to trusted users only.

Vendor’s response:
1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007

——————————-
Advert: Testking provides highest quality 000-083 exam dumps, 000-085 video demos and 000-100 practice tests with 100% pass guarantee