[wp-hackers] WP 3.0.1 Multiple Sites -- SQL Injection Vulnerability

Otto otto at ottodestruct.com
Wed Oct 6 18:27:04 UTC 2010


Sounds like somebody is just trying old attacks. The "cat" SQL
injection was fixed years ago.
http://core.trac.wordpress.org/ticket/2758

The reason you get a different result is easy: You don't have a
category with the ID of "2". The injection isn't working, because the
cat parameter is getting cleaned up before the query gets run.

-Otto



On Wed, Oct 6, 2010 at 12:59 PM, Chuck Harris <charrisjr at gmail.com> wrote:
> Hello:
>
> Any experience with or insight regarding the following would be helpful.
>
> Thank you in advance,
> Chuck Harris
>
> ------------
>
> We are experimenting with the new multiple sites feature in WP 3.x.  We
> recently discovered that our site has a SQL injection vulnerability.  One of
> the attack sequences was as follows:
>
> http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/*<http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT%28666,CHAR%2858%29,user_pass,CHAR%2858%29,666,CHAR%2858%29%29,null,null,null+FROM+wp_users+where+id=1/*>
>
> When changing the 1 to a 2 and using the url:
>
> http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=2/*<http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT%28666,CHAR%2858%29,user_pass,CHAR%2858%29,666,CHAR%2858%29%29,null,null,null+FROM+wp_users+where+id=2/*>
>
> Returns a custom 'Not Found' page. This change shows that the server is
> returning different data based upon the results of the sql string it is
> passed.
>
> Has anyone else experienced similar?  Is there a remedy?  Should we be
> concerned?  We are currently searching log files to determine whether or not
> the attack was successful.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list