Re: WordPress Search Function SQL-Injection
Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then?
On Tue, 27 Feb 2007 21:39:55 +0100 (CET), SaMuschie <samuschie@xxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> +--------------------------------------- - -- -
> | SaMuschie Research Labs proudly presents . . .
> +------------------------------------------- -- - -
> | Application: wordpress
> | Version: <= 2.1.1
> | Vuln./Exploit Type: SQL-Injection
> | Status: 0day
> +----------------------------------------- -- - -
> | Discovered by: Samenspender
> | Released: 20070227
> | SaMuschie Release Number: 2
> +------------------------------- - -- -
>
> Searching for a single ,,comma,, generates a sql error message.
>
> e.g.:
>
> http://wordpress-deutschland.org/?s=,
>
> results in:
>
> "WordPress Datenbank-Fehler: [You have an error in your SQL syntax;
> check the
> manual that corresponds to your MySQL server version for the right syntax
> to
> use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER
> BY
> post_date DE' at line 1]
> SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND
> ()
> AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date
> DESC
> LIMIT 0, 10"
>
> +----------------------------- -- -
> | Lameness Disclaimer
> +------------------------------------- - -- - -
> | SaMuschie Research Labs was found to publish
> | vulnerabilities within well known software products,
> | which are easy to discover and exploit.
> |
> | SaMuschie researchers just spend a minimum of time
> | and knowledge for each vulnerability. Hence readers of
> | this advisory are requested not to ask any questions
> | to the researchers.... they don't know the answer ;)
> +---------------------------------- - -- - -
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8
> ZfylSi7g8HINHkpBYzYgUqE=
> =fBdH
> -----END PGP SIGNATURE---