WordPress.org

Ready to get started?Download WordPress

Forums

WordPress 2.2 (xmlrpc.php) Remote SQL Injection Exploit (19 posts)

  1. BOK
    Member
    Posted 7 years ago #

    Heads up!! Check milw0rm.com
    Any fix now or in the works?

  2. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    Fixed over a week ago.

    Patched version of xmlrpc.php for 2.2 can be found here:
    http://trac.wordpress.org/browser/branches/2.2/xmlrpc.php?rev=5584&format=raw

  3. whooami
    Member
    Posted 7 years ago #

    Ive diffed that file to a reg. 2.2 file and Im not feeling the love with the changes.

    The new file has 4 changes all related like so:

    <api name="WordPress" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('wpurl') ?>/xmlrpc.php" />
          <api name="Movable Type" blogID="1" preferred="true" apiLink="<?php bloginfo_rss('wpurl') ?>/xmlrpc.php" />
          <api name="MetaWeblog" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('wpurl') ?>/xmlrpc.php" />
          <api name="Blogger" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('wpurl') ?>/xmlrpc.php" />

    5 changes regarding fixing the $post_date in mysql ...

    1 change like so:

    $max_results = (int) $args[4];

    and this:

    $post_author = $postdata["post_author"];

    Do tell, what specifically adresses that exploit?

    $max_results = (int) $args[4];

    is about the closest I can see.

    ON an off note -- it's nice of 'them' to let people know about things. So, they have a support forum, and people come here asking questions ALL day about things as trivial as setting up permalinks, and they expect the same people that cant set up permalinks to ..

    what? run the svn version?
    idle on trac all day??

    thats a crock of crap.

  4. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    Do tell, what specifically adresses that exploit?

    $max_results = (int) $args[4];

    You nailed it in one.

    The specific changeset is here:
    http://trac.wordpress.org/changeset/5584

    The reason this fixes it is because the exploit posted above relies on the fact that $args[4] is passed directly into the SQL query without modification. Casting $args[4] to an int means that only numbers will get through. Any text injected into there will make that cast return a zero (or an error, either way works).

    The link I posted was to the latest version of the 2.2 branch of xmlrpc.php.

    ON an off note -- it's nice of 'them' to let people know about things. So, they have a support forum, and people sit her asking questions ALL day about setting up permalinks, and they expect the same people that cant set up permalinks to ..

    what? run the svn version?
    idle on trac all day??

    thats a crock of crap.

    To be entirely fair, I see nothing in trac to indicate that anybody knew that this was an exploitable hole and in the wild. It was a bugfix, as far as the text reads to me.

  5. linickx
    Member
    Posted 7 years ago #

    does this effect 2.0.10 ?

    cheers.

  6. whooami
    Member
    Posted 7 years ago #

    thanks for the clarification.

    The link I posted was to the latest version of the 2.2 branch of xmlrpc.php.

    Yes, which isnt the downloadable version -- Im frustrated with the lack of communication, but hey, what else is new.

  7. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    does this effect 2.0.10 ?

    Definitely not. The wp_suggestedCategories function was not in the 2.0 series.

  8. whooami
    Member
    Posted 7 years ago #

    linickx, no.

    2.2 introduced an entirely other api .. thats what this is specific too.

    2.0.x didnt have that yet.

    The exploit doesnt affect 2.0.x and the patch isnt applicable.

  9. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    Yes, which isnt the downloadable version.

    Well, yes. 2.2.1 has not been released yet. It's the 2.2 BRANCH that I pointed to.

  10. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    Westi pointed out (on trac) that this exploit only works if the remote user already has one valid user and password, and so the only vulnerable sites would be those with user registration enabled.

  11. whooami
    Member
    Posted 7 years ago #

    as the exploit says.. neither here nor there imo.

    Thats informational only and not especially heartening.

  12. linickx
    Member
    Posted 7 years ago #

    whooamu & Otta42, thanks :)

  13. ThomasKalka
    Member
    Posted 7 years ago #

    isnt

    $category = $args[3];
    ....
    WHERE cat_name LIKE '{$category}%'

    exploitable either ?

  14. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    No. Above that, the code calls $this->escape($args); which should escape them and eliminate any issues.

    The exploitable bug in the max_results is that it comes at the end of the query. So if you sent: "0 UNION ALL SELECT user_login, user_pass..." you could pull out extra information, and that would get past the escape filter. Any useful exploit code that could be inserted into that LIKE clause would not make it through the escape.

  15. drmike
    Member
    Posted 7 years ago #

    I apoligize for the modlook but may I suggest removing the '&format=raw' out of that link within the second post? I know my browser can't handle the link. Landing on the page would probably be better.

  16. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    The format=raw makes it serve up as an application/octet-stream, which makes any normal browser open a save dialog. That's why I posted that link. You should be saving the raw file and using it that way.

    Here's the link if you want it in a text format, but you should really download the file using the raw link instead:
    http://trac.wordpress.org/browser/branches/2.2/xmlrpc.php?rev=5584&format=txt

  17. BlogCini
    Member
    Posted 7 years ago #

    any offical patch link?

  18. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    BlogCini: It's already been posted:
    http://trac.wordpress.org/browser/branches/2.2/xmlrpc.php?rev=5584&format=raw

    There is no official release yet, it'll be in WordPress 2.2.1 which is still in Release Candidate mode.

    WordPress 2.2.1RC1 is here, if you prefer:
    http://wordpress.org/wordpress-2.2.1-RC1.zip

  19. safeday
    Member
    Posted 6 years ago #

    I'm getting "System Error. Code 123. The filename, directory name, or volume label syntax is incorrect (EOSError)" on initial setup

    I know that it has something to do with the xmlrpc.php file, but can not figure it out. I am trying to use Blog Jet to write my page. I also have the same problem with Windows Live Writer.

    Anyone got a solution

Topic Closed

This topic has been closed to new replies.

About this Topic