WordPress.org

Ready to get started?Download WordPress

Forums

SQL Injection (8 posts)

  1. clar2242
    Member
    Posted 7 years ago #

    There is an exploit posted on MilW0rm entitled:
    Wordpress <= 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index /
    / sql injection admin hash disclosure exploit

    http://www.milw0rm.com/exploits/3109

    Is this going to be fixed?

  2. whooami
    Member
    Posted 7 years ago #

    there are 2 quick fixes for this until its patched. unfortunately sharing them makes them public, which runs the risk of them not working, so im hesitant to share.

    Ive attempted to exploit my own blog doing this, heres some tips, and my own results are below the tips:

    1. the script depends on the other person knowing your db prefix (it defaults to wp_) So, using a another prefix, while not foolproof (there are ways to cause mysql errors that will reveal your db prefix,)x, is "better" than using the defualt one.

    that prefix, btw, is set inside wp-config.php before you install.

    2. That script relies on the name of your users table being being 'users', specifically the prefix used in #1 followed by users, ie, wp_users It follows, then, that using another table name (not users) is another way to 'hang up' attmepts
    Again, its possible to cause mysql to spit out an error that would reveal that info, BUT its more work.

    That table name mentioened in #2 is defined in wp-settings.php

    3. That script depends on the name of your trackback file being wp-trackback.php

    4. That script sends NO referer, and NO user-agent.

    --

    Fwiw, attmepting to exploit my own blog, editing out the default values and making sure they matched my own set up, resulted in a failed script (the script ran, no data was returned). I am not saying it doesnt work, just that I couldnt get it to (even knowing all of the pertinent information).

    Ive made 3 changes to my own blog, and 1 small change to another file I use that prevents it from working completely on my own site. It wont even run :)

    Of course, I've also *always* supressed ALL mysql errors. And this speaks to why sometimes thats a good idea, if you know what youre doing.

  3. drmike
    Member
    Posted 7 years ago #

    They're discussing this on one of the WordPress mailing lists. 2.0.6 appears not to be affected by this bug. I don't know if that's true or not...

  4. whooami
    Member
    Posted 7 years ago #

    well, it didnt work for me .. like I said :)

  5. drmike
    Member
    Posted 7 years ago #

    I see a post on the mailing list from someone saying that it still was broken. Not sure if that was you or not.

    Got one post saying that 2.0.6 fixed the issue.

    Aren't computers fun? ;)

  6. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    This script should not work with 2.06, because it depends on register_globals being on (in order to set $tb_id), and with 2.06, wp-trackback require's wp-config which includes wp-settings which unsets all globals right at the beginning.

    So I can't see it working on 2.06 at all. Not with that method.

  7. foolswisdom
    Moderator
    Posted 7 years ago #

    Otto42, my limited understanding is that if the server has globals enabled (bad, bad), the unsetting can trigger the issue. This is only resolved in 2.0.7

    http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html

  8. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    Yeah, I found that out later. It won't happen with most setups, and the only way it would happen was with a bug in specific PHP implementations, appearantly.

    Best to just make sure register_globals is off in the first place.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.