[wp-hackers] WP 3.0.1 Multiple Sites -- SQL Injection Vulnerability

Philip M. Hofer (Frumph) philip at frumph.net
Wed Oct 6 18:31:17 UTC 2010 

Hey chuck, I came across this bit of info that you would probably like to 
use to 'ease your mind' sort of thinking.

http://www.the-web-mechanic.com/category/wordpress-security/

#9

<?php /* Plugin Name: Block Bad Queries */

if (strlen($_SERVER['REQUEST_URI']) > 255 ||
     strpos($_SERVER['REQUEST_URI'], "eval(") ||
 strpos($_SERVER['REQUEST_URI'], "base64")) {
          @header("HTTP/1.1 414 Request-URI Too Long");
          @header("Status: 414 Request-URI Too Long");
          @header("Connection: Close");
          @exit;
} ?>


You should probably adjust the strlen to something a little lower if 
necessary or add an || for concat( or char(




----- Original Message ----- 
From: "Chuck Harris" <charrisjr at gmail.com>
To: <wp-hackers at lists.automattic.com>
Sent: Wednesday, October 06, 2010 10:59 AM
Subject: [wp-hackers] WP 3.0.1 Multiple Sites -- SQL Injection Vulnerability


> Hello:
>
> Any experience with or insight regarding the following would be helpful.
>
> Thank you in advance,
> Chuck Harris
>
> ------------
>
> We are experimenting with the new multiple sites feature in WP 3.x.  We
> recently discovered that our site has a SQL injection vulnerability.  One 
> of
> the attack sequences was as follows:
>
> http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/*<http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT%28666,CHAR%2858%29,user_pass,CHAR%2858%29,666,CHAR%2858%29%29,null,null,null+FROM+wp_users+where+id=1/*>
>
> When changing the 1 to a 2 and using the url:
>
> http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=2/*<http://our_site_url.org/index.php?cat=999+UNION+SELECT+null,CONCAT%28666,CHAR%2858%29,user_pass,CHAR%2858%29,666,CHAR%2858%29%29,null,null,null+FROM+wp_users+where+id=2/*>
>
> Returns a custom 'Not Found' page. This change shows that the server is
> returning different data based upon the results of the sql string it is
> passed.
>
> Has anyone else experienced similar?  Is there a remedy?  Should we be
> concerned?  We are currently searching log files to determine whether or 
> not
> the attack was successful.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list