I don't believe it is SQL Injection. I'm looking at version 2.0.3.
The number placed in the query string does factor into the value
into the SQL statement. Here is another example:
WordPress database error: [You have an error in your SQL syntax;
check the
manual that corresponds to your MySQL server version for the right
syntax to
use near '-10010, 10' at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
02:54:59' AND (post_status = "publish" OR post_author = 1 AND
post_status !=
'draft' AND post_status != 'static') AND post_status !=
"attachment" GROUP
BY wp_posts.ID ORDER BY post_date DESC LIMIT -10010, 10
Note that the paged value is factored into the first argument of
clause. Definition of LIMIT from the MySQL website:
"The LIMIT clause can be used to constrain the number of rows
returned by
the SELECT statement. LIMIT takes one or two numeric arguments,
which must
both be non-negative integer constants (except when using prepared
With two arguments, the first argument specifies the offset of the
first row
to return, and the second specifies the maximum number of rows to
The offset of the initial row is 0 (not 1):
SELECT * FROM tbl LIMIT 5,10; # Retrieve rows 6-15"
The error is actually happening because the first argument to limit
can not
be negative.
This database call is generated in the file /wp-includes/classes.php
Here it is:
function &get_posts() {
// Paging
if (empty($q['nopaging']) && ! $this->is_single && !
$this->is_page) {
$page = $q['paged'];
if (empty($page)) {
$page = 1;
if (($q['what_to_show'] == 'posts')) {
$pgstrt = '';
$pgstrt = (intval($page) -1) *
$q['posts_per_page'] . ', ';
$limits = 'LIMIT
In the last line, its inserting $pgstrt into the LIMIT clause.
$pgstrt is
set to the intval of the value submitted to the querystring - 1
by the posts_per_page. According to the PHP documentation, "intval
value: The integer value of var on success, or 0 on failure." So if
you put
a string into $page, you are still going to get back 0, so I see no
way of
inserting text, spaces, or anything useful for SQL Injection in this
particular place.
Looking at this code, another opportunity for SQL injection would
arise from
manipulating posts_per_page. A quick scan through the code doesn't
look like
manipulating posts_per_page is obvious.
I wonder how much security research has been done on this function.
It looks
pretty complicated which leaves a real opportunity for SQL
injection to
popup somewhere.
Another interesting security issue I just came across with the login
process. A failed login tells you whether it was a bad username or
Sybase ASE 11.0 exhibited the same behavior, but they fixed it in a
release. Oracle 8i did the same thing (although very subtely). This
is great
for making the end user's life easier, but it makes 1 factor
(passwords) even weaker then it already is (would you call it 1/2
It would be trivial to write a Perl script to brute-force usernames
making a
password attack a factor easier. Then another Perl script to brute-
force the
password for any discovered username. Coupled with no password
lockout on
Wordpress, I'll bet password attacks are way too effective on
Aaron C. Newman
-----Original Message-----
From: zck zck [mailto:zckzck@xxxxxxxxx]
Sent: Wednesday, July 12, 2006 3:24 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: WordPress 2.0.3 SQL Error and Full Path Disclosure
Isn't this actually an SQL Injection rather than information leakage?
Try :
I mean, the error message (this time in English) is:
WordPress database error: [You have an error in your SQL syntax;
check the
manual that corresponds to your MySQL server version for the right
syntax to
use near '-10, 10' at line 1]
It specifically says that "You have an error in your SQL syntax",
means my input goes into the query...
-----Original Message-----
From: xzerox@xxxxxxxxxxxxx [mailto:xzerox@xxxxxxxxxxxxx]
Sent: Sunday, July 02, 2006 12:15
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WordPress 2.0.3 SQL Error and Full Path Disclosure
WordPress 2.0.3 SQL Error and Full Path Disclosure Discovered By zero
[Moroccan Security Team]
Software: WordPress 2.0.3
Site : www.wordpress.org
~ SQL Error ~
WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la
ligne 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
'2006-06-29 12:46:59' AND (post_status = "publish") AND post_status !=
"attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT
-20, 10
~ Full path ~
/wp-content/themes/classic/comments- popup.php
simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure,
hunter, themenotor ...
Author: Mourad [ zero ]
Email : xzerox(at)linuxmail(dot)org