[resolved] new 0-day? (8 posts)

  1. Lancerlot
    Posted 4 years ago #

    So, just saw this link on Reddit:
    It says its a vulnerability in 3.0.4 but I just installed 3.2.1...are we safe?

  2. esmi
    Forum Moderator
    Posted 4 years ago #

    It relates to the use of Timthumb in certain themes & plugins. WordPress itself has never used Timthumb.

  3. Lancerlot
    Posted 4 years ago #

    Ahh ok well thanks for the answer... Just started my first site using WP and wasn't sure.

    I'll have a look through the limited plugins/themes I'm using now to make sure they're not using Timthumb but I'm pretty sure I'm not.

    Thanks again!

  4. esmi
    Forum Moderator
    Posted 4 years ago #

    Any themes uploaded to, or updated on, http://wordpress.org/extend/themes/ within the past 12 months should be fine.

  5. wycks
    Posted 4 years ago #

    @esmi This exploit has nothing at all to do with timthumb, did you even bother to read it?

    Its is in wp-comments-post.php using something like value="-1337' UNION SELECT (0,@@VERSION)--" id='comment_post_ID'

  6. BoredEnoughToPost
    Posted 4 years ago #

    Line 20 of wp-comments-post.php of version 3.2.1 is
    $comment_post_ID = isset($_POST['comment_post_ID']) ? (int) $_POST['comment_post_ID'] : 0;

    $var = "-1337' UNION SELECT (0,@@VERSION)--";
    echo $var;
    echo "<br/>";
    $var = (int) $var;
    echo $var;


    -1337' UNION SELECT (0,@@VERSION)--

    When casting a String to an Int in php it will only cast the string up until it finds an invalid character.

    So all in all, this should have zero effect on the latest version.

  7. wycks
    Posted 4 years ago #

    And 3.0.4 of wp-comments-post.php, since the code is the same, I believe this was changed in 2.8, so in essence this is bunk.

  8. FWIW, this particular vulnerability on comment_post_ID was patched 8 years ago. A bit earlier than version 3.0.4. ;)


    In other words, this is crap.

Topic Closed

This topic has been closed to new replies.

About this Topic