Bugtraq post “Multiple CMS/Forum Vulnablilties” 27/8/05

  • In the post to Bugtraq on 27th August 2005 subject “Multiple CMS/Forum Vulnablilties” [sic] from jbiaso at gmail, the following claim is made:

    [begin quote]
    ——
    next; wordpress blog sql injection —
    ——

    https://path/to/wordpress/index.php?cat=%2527%20UNION%20SELECT%20CONCAT(CHAR(58),
    +user_pass,CHAR(58),user_login,CHAR(58))%20FROM%20wp_users/*

    This will give the administrator hash for the wordpress blog/CMS. We
    have also found that if you spoof you’re browser to something like:
    <?php phpinfo(); ?>, and have a failed login attempt; it is eval’d,
    and you can execute your own code.

    [end quote]

    This looks like it would be register_globals dependent, and I haven’t been able to reproduce either of these issues on my WP 1.5.2 installation where register_globals is disabled, but I’d appreciate a definitive response — even better if it’s posted to Bugtraq for the sake of the record.

    Apologies if this has already been asked, it can be difficult to find anything specific on this forum, and it’s really poor that ‘security’ is not shown amongst the tags on the main page.

Viewing 3 replies - 1 through 3 (of 3 total)

  • I have just tried this on my register_globals disabled site and cannot reproduce.

    With the new code in 1.5.2 to protect against register_globals WordPress should be safe against anything that relies on register_globals.

    As always all possible security issues should be reported to [email protected] not here on the forums.

    The first issue was fixed by 1.5.1.2, way back on May 27th. I can’t confirm the second issue, but it sounds really bogus.

    it’s really poor that ‘security’ is not shown amongst the tags on the main page.

    Why is it poor? The users of these forums are the ones who assign tags to their posts. The tags are indicative of the common issues for which people come here looking for support. In many ways, I think it’s a good thing that so few people have had to come here for security support.

    If you want to see other posts regarding security, you can search for them, rather then rely on the tag list.

    And finally, security questions are best addressed to [email protected]: the recipients of that alias are in a far better position to evaluate the validity of any particular reported exploit. Plus, emailing [email protected] helps ensure that working exploit code not get unnecessarily displayed to folks who can’t responsible deal with it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Bugtraq post “Multiple CMS/Forum Vulnablilties” 27/8/05’ is closed to new replies.