Undisclosed WordPress 2.0 Security Issues

June 5, 2007

I recently came across this security advisory and decided to find out what the undisclosed issues could be. I downloaded wordpress 2.0 to find these undisclosed issues. Why i am interested in wordpress 2.0 is a different story though. 🙂
It was trivial to figure out that this version has no protection against CSRF attacks. the file wp-admin/options-reading.php has a parameter posts_per_rss that seems to have been left unsanitized. It is possible to make an admin submit (via csrf) a malicious value of this paramter which will eventually result in a database error. However, the injections seems really difficult to exploit.

example:-http://192.168.1.183:80/apache2-default/wordpress/?feed=rss2

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2007-01-08 04:12:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 10'

As the injection point is after Limit and because of the Order By clause, i think it is not exploitable.
If you think it is indeed exploitable drop me an email now...

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback