NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Full-Disclosure> 2007-04

[Full-disclosure] Wordpress 2.1.2 xmlrpc Vulnerabilities

From: Sumit Siddharth (sumit.siddharthgmail.com)
Date: Thu Apr 05 2007 - 17:49:15 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:

*Affected Versions*: These issues were reported in version 2.1.2 and its
very likely that previous versions may also be vulnerable.

1.* Privilidge Escalation*:

Under normal circumstances (through web interface) a user in contributor
role only has access to following functions:

a. read
b. edit_posts

functionality 'publish_posts' is restricted to users in the author, editor
or administrator roles. However, this is not implemented in xmlrpc.php and
this allows a user in the contributor roles to publish a previously saved
post to the website.

No exploit code is required.

2. *SQL Injection*:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to
the backend database which results in a Sql injection. Exploiting this is
pretty trivial. As, it is an integer based injection, it works irrespective
of the setting "magic quote". I wrote a Simple Proof Of Concept for this.
Download Exploit<http://www.notsosecure.com/folder2/wp-content/uploads/2007/04/wp-xmlrpc-sql.pl>
—————————————————–

*Successful Exploitation* of this will give you usernames and md5 hash of
password of all users including admin user. Once you have the admin user
hash needless to say you can create a php backdoor and that essentialy is
game over.

**[image: :-)]

*Workaround*:
1. Disable xmlrpc if you dont use it or restrict its access to trusted users
only.

*Vendor's response:*
1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007

--
Sumit Siddharth
www.notsosecure.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]