<<< Date Index >>>     <<< Thread Index >>>

Re: WordPress Search Function SQL-Injection



Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then?

On Tue, 27 Feb 2007 21:39:55 +0100 (CET), SaMuschie <samuschie@xxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> +--------------------------------------- -  -- -
> | SaMuschie Research Labs proudly presents . . .
> +-------------------------------------------  -- -  -  
> | Application: wordpress
> | Version: <= 2.1.1
> | Vuln./Exploit Type: SQL-Injection
> | Status: 0day
> +----------------------------------------- --  -  -  
> | Discovered by: Samenspender
> | Released: 20070227
> | SaMuschie Release Number: 2
> +------------------------------- -  -- -
> 
> Searching for a single ,,comma,, generates a sql error message.
> 
> e.g.:
> 
> http://wordpress-deutschland.org/?s=,
> 
> results in:
> 
>     "WordPress Datenbank-Fehler: [You have an error in your SQL syntax;
> check the
> manual that corresponds to your MySQL server version for the right syntax
> to 
> use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER
> BY 
> post_date DE' at line 1] 
> SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND
> () 
> AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date
> DESC
> LIMIT 0, 10"
> 
> +-----------------------------  -- -
> | Lameness Disclaimer
> +------------------------------------- - -- -  -  
> | SaMuschie Research Labs was found to publish
> | vulnerabilities within well known software products,
> | which are easy to discover and exploit.
> | 
> | SaMuschie researchers just spend a minimum of time
> | and knowledge for each vulnerability. Hence readers of 
> | this advisory are requested not to ask any questions
> | to the researchers.... they don't know the answer ;) 
> +----------------------------------  - --  - -
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8
> ZfylSi7g8HINHkpBYzYgUqE=
> =fBdH
> -----END PGP SIGNATURE---