Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Cafelog WordPress / b2 SQL injection vulnerabilities discovered and fixed in CVS
From: Seth Woolley (sethtautology.org)
Date: Fri Oct 03 2003 - 00:11:06 CDT
-----BEGIN PGP SIGNED MESSAGE-----
WordPress (formerly b2)
* CVS versions before October 1, 2003
* Vulnerability affects code inherited from b2, so all versions of
wordpress released before CVS fix are affected and many versions of b2
are also affected.
A number of SQL injection vulnerabilities have been fixed that could allow
arbitrary SQL to be injected if one has local access to the filesystem the
database can access (using 'source filename.sql;'). ''', '"', '\' are all
filtered, and ' ' is munged into SQL constructs before injection, so %09
(tab char) can be used where spaces would normally be in the sql string
one wishes to inject. The problem affects the category (cat) and order by
(order_by) code. The author (author) code was almost vulnerable, except
for a small bug that misconverted author to an integer before string
processing. The problems are located in the blog.header.php file, and a
patch is included below (provided by the authors) that fixes the
vulnerabilities and includes general bug fixes and code cleanup. Any SQL
string not including quotes or a backslash can be injected through the URL
(i.e. 'drop table foo;').
Exploit example exposes private posts. Dropping tables should be trivial,
especially using the order_by flaw.
Sunday, 28 Sept 2003
Dates Vendor Notified:
Monday, 29 Sept 2003 - Tuesday, 30 Sept 2003
Vendor was notified of problems on Monday. On Tuesday, discoverer gave a
full report of the extent of the problems via IRC.
Wednesday, 1 Oct 2003
Thursday, 2 Oct 2003
Seth Woolley <seth at tautology.org>
I (Seth) am not a php expert, and I don't run this code, so I haven't
tested the vendor-provided patch yet, although I assume the vendor has.
I would like to thank the wordpress developers for providing the patch in
a timely and responsible manner (specifically Matthew Mullenweg for being
my vendor contact).
Seth Alan Woolley <seth at tautology.org>, SPAM/UCE is unauthorized
Key id 7BEACC7D = 2978 0BD1 BA48 B671 C1EB 93F7 EDF4 3CDF 7BEA CC7D
Full Key at seth.tautology.org and pgp.mit.edu. info: www.gnupg.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
-----END PGP SIGNATURE-----