Re: WordPress Search Function SQL-Injection

To: SaMuschie <samuschie@xxxxxxxx>
Subject: Re: WordPress Search Function SQL-Injection
From: Justin Frydman - Thinkweb Media <justin@xxxxxxxxxxxxxxxxx>
Date: Tue, 27 Feb 2007 15:14:14 -0600
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, vuln-dev@xxxxxxxxxxxxxxxxx, webappsec@xxxxxxxxxxxxxxxxx
In-reply-to: <20070227203955.65267.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070227203955.65267.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
User-agent: RoundCube Webmail/0.1b

Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then?

On Tue, 27 Feb 2007 21:39:55 +0100 (CET), SaMuschie <samuschie@xxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> +--------------------------------------- -  -- -
> | SaMuschie Research Labs proudly presents . . .
> +-------------------------------------------  -- -  -  
> | Application: wordpress
> | Version: <= 2.1.1
> | Vuln./Exploit Type: SQL-Injection
> | Status: 0day
> +----------------------------------------- --  -  -  
> | Discovered by: Samenspender
> | Released: 20070227
> | SaMuschie Release Number: 2
> +------------------------------- -  -- -
> 
> Searching for a single ,,comma,, generates a sql error message.
> 
> e.g.:
> 
> http://wordpress-deutschland.org/?s=,
> 
> results in:
> 
>     "WordPress Datenbank-Fehler: [You have an error in your SQL syntax;
> check the
> manual that corresponds to your MySQL server version for the right syntax
> to 
> use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER
> BY 
> post_date DE' at line 1] 
> SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND
> () 
> AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date
> DESC
> LIMIT 0, 10"
> 
> +-----------------------------  -- -
> | Lameness Disclaimer
> +------------------------------------- - -- -  -  
> | SaMuschie Research Labs was found to publish
> | vulnerabilities within well known software products,
> | which are easy to discover and exploit.
> | 
> | SaMuschie researchers just spend a minimum of time
> | and knowledge for each vulnerability. Hence readers of 
> | this advisory are requested not to ask any questions
> | to the researchers.... they don't know the answer ;) 
> +----------------------------------  - --  - -
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> 
> iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8
> ZfylSi7g8HINHkpBYzYgUqE=
> =fBdH
> -----END PGP SIGNATURE---

Follow-Ups:
- Re: WordPress Search Function SQL-Injection
  - From: ascii

References:
- WordPress Search Function SQL-Injection
  - From: SaMuschie

Prev by Date: iDefense Security Advisory 02.27.07: Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability
Next by Date: [NETRAGARD-20070220 SECURITY ADVISORY] [McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass]
Previous by thread: WordPress Search Function SQL-Injection
Next by thread: Re: WordPress Search Function SQL-Injection
Index(es):
- Date
- Thread