Support » Requests and Feedback » SQL Injection

Viewing 7 replies - 1 through 7 (of 7 total)
  • whooami



    there are 2 quick fixes for this until its patched. unfortunately sharing them makes them public, which runs the risk of them not working, so im hesitant to share.

    Ive attempted to exploit my own blog doing this, heres some tips, and my own results are below the tips:

    1. the script depends on the other person knowing your db prefix (it defaults to wp_) So, using a another prefix, while not foolproof (there are ways to cause mysql errors that will reveal your db prefix,)x, is “better” than using the defualt one.

    that prefix, btw, is set inside wp-config.php before you install.

    2. That script relies on the name of your users table being being ‘users’, specifically the prefix used in #1 followed by users, ie, wp_users It follows, then, that using another table name (not users) is another way to ‘hang up’ attmepts
    Again, its possible to cause mysql to spit out an error that would reveal that info, BUT its more work.

    That table name mentioened in #2 is defined in wp-settings.php

    3. That script depends on the name of your trackback file being wp-trackback.php

    4. That script sends NO referer, and NO user-agent.

    Fwiw, attmepting to exploit my own blog, editing out the default values and making sure they matched my own set up, resulted in a failed script (the script ran, no data was returned). I am not saying it doesnt work, just that I couldnt get it to (even knowing all of the pertinent information).

    Ive made 3 changes to my own blog, and 1 small change to another file I use that prevents it from working completely on my own site. It wont even run 🙂

    Of course, I’ve also *always* supressed ALL mysql errors. And this speaks to why sometimes thats a good idea, if you know what youre doing.

    They’re discussing this on one of the WordPress mailing lists. 2.0.6 appears not to be affected by this bug. I don’t know if that’s true or not…




    well, it didnt work for me .. like I said 🙂

    I see a post on the mailing list from someone saying that it still was broken. Not sure if that was you or not.

    Got one post saying that 2.0.6 fixed the issue.

    Aren’t computers fun? 😉

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    This script should not work with 2.06, because it depends on register_globals being on (in order to set $tb_id), and with 2.06, wp-trackback require’s wp-config which includes wp-settings which unsets all globals right at the beginning.

    So I can’t see it working on 2.06 at all. Not with that method.

    Otto42, my limited understanding is that if the server has globals enabled (bad, bad), the unsetting can trigger the issue. This is only resolved in 2.0.7

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Yeah, I found that out later. It won’t happen with most setups, and the only way it would happen was with a bug in specific PHP implementations, appearantly.

    Best to just make sure register_globals is off in the first place.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘SQL Injection’ is closed to new replies.