Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: WordPress 2.0.3 SQL Error and Full Path Disclosure
From: nate <nate () securityminded net>
Date: Thu, 13 Jul 2006 09:28:55 -0700

I'm currently using wordpress 2.0.2, I've been trying all of these and have not noticed any of these working what so ever. It just pulls up my 404 page. I am also not using the default permalink structure, but rather date and name structure.

Just a little more information on this issue.

-nate


On Jul 12, 2006, at 8:22 PM, Aaron Newman wrote:

I don't believe it is SQL Injection. I'm looking at version 2.0.3.

The number placed in the query string does factor into the value inserted
into the SQL statement. Here is another example:

http://10.11.11.110/wordpress/index.php?paged=-1000

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to
use near '-10010, 10' at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2006-07-13 02:54:59' AND (post_status = "publish" OR post_author = 1 AND post_status != 'draft' AND post_status != 'static') AND post_status != "attachment" GROUP
BY wp_posts.ID ORDER BY post_date DESC LIMIT -10010, 10

Note that the paged value is factored into the first argument of the LIMIT
clause. Definition of LIMIT from the MySQL website:
"The LIMIT clause can be used to constrain the number of rows returned by the SELECT statement. LIMIT takes one or two numeric arguments, which must
both be non-negative integer constants (except when using prepared
statements).

With two arguments, the first argument specifies the offset of the first row to return, and the second specifies the maximum number of rows to return.
The offset of the initial row is 0 (not 1):

SELECT * FROM tbl LIMIT 5,10;  # Retrieve rows 6-15"

The error is actually happening because the first argument to limit can not
be negative.

This database call is generated in the file /wp-includes/classes.php

Here it is:

function &get_posts() {
<snip>
                // Paging
                if (empty($q['nopaging']) && ! $this->is_single && !
$this->is_page) {
                        $page = $q['paged'];
                        if (empty($page)) {
                                $page = 1;
                        }

                        if (($q['what_to_show'] == 'posts')) {
                                $pgstrt = '';
                                $pgstrt = (intval($page) -1) *
$q['posts_per_page'] . ', ';
                                $limits = 'LIMIT
'.$pgstrt.$q['posts_per_page'];

In the last line, its inserting $pgstrt into the LIMIT clause. $pgstrt is set to the intval of the value submitted to the querystring - 1 multiplied by the posts_per_page. According to the PHP documentation, "intval return value: The integer value of var on success, or 0 on failure." So if you put a string into $page, you are still going to get back 0, so I see no way of
inserting text, spaces, or anything useful for SQL Injection in this
particular place.

Looking at this code, another opportunity for SQL injection would arise from manipulating posts_per_page. A quick scan through the code doesn't look like
manipulating posts_per_page is obvious.

I wonder how much security research has been done on this function. It looks pretty complicated which leaves a real opportunity for SQL injection to
popup somewhere.


Another interesting security issue I just came across with the login
process. A failed login tells you whether it was a bad username or password. Sybase ASE 11.0 exhibited the same behavior, but they fixed it in a dot release. Oracle 8i did the same thing (although very subtely). This is great for making the end user's life easier, but it makes 1 factor authentication (passwords) even weaker then it already is (would you call it 1/2 factor
authentication?).

It would be trivial to write a Perl script to brute-force usernames making a password attack a factor easier. Then another Perl script to brute- force the password for any discovered username. Coupled with no password lockout on Wordpress, I'll bet password attacks are way too effective on Wordpress.

Regards,
Aaron C. Newman
aaroncharlesnewman () yahoo com






-----Original Message-----
From: zck zck [mailto:zckzck () gmail com]
Sent: Wednesday, July 12, 2006 3:24 AM
To: bugtraq () securityfocus com
Subject: Re: WordPress 2.0.3 SQL Error and Full Path Disclosure

Isn't this actually an SQL Injection rather than information leakage?

Try :
http://localhost/wordpress/index.php?paged=%27

I mean, the error message (this time in English) is:
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to
use near '-10, 10' at line 1]

It specifically says that "You have an error in your SQL syntax", which
means my input goes into the query...

-----Original Message-----
From: xzerox () linuxmail org [mailto:xzerox () linuxmail org]
Sent: Sunday, July 02, 2006 12:15
To: bugtraq () securityfocus com
Subject: WordPress 2.0.3 SQL Error and Full Path Disclosure

WordPress 2.0.3 SQL Error and Full Path Disclosure Discovered By zero
[Moroccan Security Team]
Software: WordPress 2.0.3
Site : www.wordpress.org

~ SQL Error ~

Example:

http://localhost/wordpress/index.php?paged=-1

Result:

WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la ligne 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
'2006-06-29 12:46:59' AND (post_status = "publish") AND post_status !=
"attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -20, 10


~ Full path ~

/wp-settings.php
/wp-admin/admin-footer.php
/wp-admin/admin-functions.php
/wp-admin/edit-form.php
/wp-admin/edit-form-advanced.php
/wp-admin/edit-form-comment.php
/wp-admin/edit-link-form.php
/wp-admin/edit-page-form.php
/wp-admin/menu.php
/wp-admin/menu-header.php
/wp-admin/upgrade-functions.php
/wp-admin/upgrade-schema.php
/wp-admin/import/blogger.php
/wp-admin/import/dotclear.php
/wp-admin/import/livejournal.php
/wp-admin/import/mt.php
/wp-admin/import/rss.php
/wp-admin/import/textpattern.php
/wp-content/plugins/hello.php
/wp-content/plugins/wp-db-backup.php
/wp-content/plugins/akismet/akismet.php
/wp-content/themes/classic/index.php
/wp-content/themes/classic/comments.php
/wp-content/themes/classic/comments- popup.php
/wp-content/themes/classic/footer.php
/wp-content/themes/classic/header.php
/wp-content/themes/classic/sidebar.php
/wp-content/themes/default/index.php
/wp-content/themes/default/404.php
/wp-content/themes/default/archive.php
/wp-content/themes/default/archives.php
/wp-content/themes/default/attachment.php
/wp-content/themes/default/comments-popup.php
/wp-content/themes/default/footer.php
/wp-content/themes/default/functions.php
/wp-content/themes/default/header.php
/wp-content/themes/default/links.php
/wp-content/themes/default/page.php
/wp-content/themes/default/search.php
/wp-content/themes/default/searchform.php
/wp-content/themes/default/sidebar.php
/wp-content/themes/default/single.php
/wp-includes/default-filters.php
/wp-includes/kses.php
/wp-includes/locale.php
/wp-includes/rss-functions.php
/wp-includes/template-loader.php
/wp-includes/vars.php
/wp-includes/wp-db.php


Greetz:

simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure,
hunter, themenotor ...

Contact:

Author: Mourad [ zero ]
Email : xzerox(at)linuxmail(dot)org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]