SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   WordPress Vendors:   wordpress.org
WordPress Input Validation Flaw in Search Function Lets Remote Users Inject SQL Commands
SecurityTracker Alert ID:  1019071
SecurityTracker URL:  http://securitytracker.com/id/1019071
CVE Reference:   CVE-2007-6318   (Links to External Site)
Updated:  Dec 12 2007
Original Entry Date:  Dec 11 2007
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 2.3.1 and prior versions
Description:   A vulnerability was reported in WordPress in the search function. A remote user can inject SQL commands.

The search function does not properly validate user-supplied input when certain character sets are used. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database.

The Big5 and GBK character sets are affected.

A demonstration exploit is provided

http://[target]/wordpress/index.php?exact=1&sentence=1&s=%b3%27
)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11
,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23

Abel Cheung reported this vulnerability.

The original advisory is available at:

http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt

Impact:   A remote user can execute SQL commands on the underlying database.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.wordpress.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  WordPress Charset SQL injection vulnerability (re-resend)


--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable


Terribly sorry, gmail messed up the GPG signature. Hope this one can
get through.



=3D=3D=3D WordPress Charset SQL Injection Vulnerability =3D=3D=3D

Release date: 2007-12-10
Last modified: 2007-12-10
Source: Abel Cheung <abelcheung at gmail dot com>
Affected version: WordPress <=3D 2.3.1
Exploit type: Remote
Risk: Moderate
CVE: pending
Reference: http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt


1. Summary
2. Detail
3. Proof of concept
4. Workaround


1. Summary

  Quoting from http://wordpress.org/:
    WordPress is a state-of-the-art semantic personal publishing platform
    with a focus on aesthetics, web standards, and usability.
    What a mouthful. WordPress is both free and priceless at the same time.

  It is found that the search function provided within WordPress fails to
  sanitize input based on different character sets. So if WordPress tries
  to query MySQL database using certain specific character sets, WordPress
  search function is exploitable using charset-based SQL injection.

  Currently known character sets exploitable include Big5 and GBK.
  All of them may use backslash ('\') as part of multibyte character.=20
  WordPress with MySQL database created any other character sets fulfilling
  such property may also be exploitable.

  Executing this attack alone results in exposure of all database
  content on web interface without need of authentication. However, if
  combined with other exploits (such as cookie authentication vulnerability
  in http://www.cl.cam.ac.uk/~sjm217/advisories/wordpress-cookie-auth.txt),
  any remote user can obtain WordPress admin privilege, resulting in server
  compromise.


2. Detail

  Most database query in WordPress uses escape() method to sanitize SQL
  string, which is essentially filtering input via addslashes() function.
  However addslashes() fails to consider character set used in SQL string,
  and blindly inserts backslash before any single quote, regardless of
  whether such backslashes will form another valid character or not.

  In proof of concept used in this advisory, two bytes 0xB327 is
  injected into search variable. After escaping string with escape(),
  a backslash (0x5C) is inserted before single quote (0x27), thus becoming
  0xB35C27. However 0xB35C is a valid Big5 multibyte character,
  leaving the single quote behind, so SQL injection occurs. The same
  multibyte character is also valid under GBK encoding.

  Inside SQL statement used within proof of concept, MD5 hashes of all
  users' passwords are selected from database, and presented as post
  title. With suitable SQL statement, any database field can be dumped
  in similar way.

  Currently it is known that WordPress search function uses this
  insufficient method to sanitize database query. Possibly other
  database queries utilizing same method to filter user input can be
  equally susceptible.

  However, note that WordPress sites using such character sets is not
  very common, since most default installation uses either latin1 or utf8
  character set. Asian sites, in particular Chinese ones, are more likely
  vulnerable.

  Although all WordPress versions before 2.3.1 are vulnerable, only
  WordPress 2.2 or above allows changing database query character set
  via WordPress configuration file (wp-config.php). For all versions
  below 2.2, modifying MySQL configuration to use those character sets
  is needed for exploit to be functional. The setting of WordPress HTML
  character set (adjustable within WordPress admin page) is irrelevant.


  Relevant code is listed below. In wp-includes/query.php:

// If a search pattern is specified, load the posts that match
if ( !empty($q['s']) ) {
  ......
  foreach((array)$q['search_terms'] as $term) {
    $term =3D addslashes_gpc($term);
  ......
}

  addslashes_gpc() is defined in wp-includes/formatting.php:

function addslashes_gpc($gpc) {
  ......
  return $wpdb->escape($gpc);
}


  Finally, escape() method belongs to wp-includes/wp-db.php:

function escape($string) {
  return addslashes( $string ); // Disable rest for now, causing problems
  ......
}


3. Proof of concept

  a. After WordPress installation, modify wp-config.php to make sure
     it uses certain character set for database connection (Big5 can also b=
e used):
     define('DB_CHARSET', 'GBK');

  b. http://localhost/wordpress/index.php?exact=3D1&sentence=3D1&s=3D%b3%27=
)))/**/AND/**/ID=3D-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11=
,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23


4. Workaround

  Note: This vulnerability only exists for database queries performed
  using certain character sets. For databases created in most other
  character sets no remedy is needed.

  a. It is recommended to convert WordPress database to use character sets =
not
     vulnerable to such SQL exploit. One such charset is UTF-8, which does =
not
     use backslash ('\') as part of character and it supports various langu=
ages.
  b. Alternatively, edit WordPress theme to remove search capability.


--=20
Abel Cheung   (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1  41EE 4152 E1F1 C671 86FF
--------------------------------------------------------------------
* GNOME Hong Kong - http://www.gnome.hk/
* Opensource Application Knowledge Assoc. - http://oaka.org/

--qMm9M+Fa2AknHoGS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHXZH9QVLh8cZxhv8RAq1zAKCstcbLPWg3ixZvPy0o7YU+LDVTBQCdHvHE
9OB3ONLK5NA/bBly9qqpxmk=
=RnDI
-----END PGP SIGNATURE-----

--qMm9M+Fa2AknHoGS--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC