On Fri, Jul 01, 2011 at 11:23:40AM +0200, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20110701-0 > > ======================================================================= > title: Multiple SQL Injection Vulnerabilities > product: WordPress > vulnerable version: 3.1.3/3.2-RC1 and probably earlier versions > fixed version: 3.1.4/3.2-RC3 > impact: Medium > homepage: http://wordpress.org/ > found: 2011-06-21 > by: K. Gudinavicius > SEC Consult Vulnerability Lab > https://www.sec-consult.com > ======================================================================= > > Vendor description: > ------------------- > "WordPress was born out of a desire for an elegant, well-architectured > personal publishing system built on PHP and MySQL and licensed under > the GPLv2 (or later). It is the official successor of b2/cafelog. > WordPress is fresh software, but its roots and development go back to > 2001." > > Source: http://wordpress.org/about/ > > > > Vulnerability overview/description: > ----------------------------------- > Due to insufficient input validation in certain functions of WordPress > it is possible for a user with the "Editor" role to inject arbitrary > SQL commands. By exploiting this vulnerability, an attacker gains > access to all records stored in the database with the privileges of the > WordPress database user. > > > > Proof of concept: > ----------------- > 1) The get_terms() filter declared in the wp-includes/taxonomy.php file > does not properly validate user input, allowing an attacker with > "Editor" privileges to inject arbitrary SQL commands in the "orderby" > and "order" parameters passed as array members to the vulnerable filter > when sorting for example link categories. > > The following URLs could be used to perform blind SQL injection > attacks: > > http://localhost/wp-admin/edit-tags.php?taxonomy=link_category&orderby=[SQL > injection]&order=[SQL injection] > http://localhost/wp-admin/edit-tags.php?taxonomy=post_tag&orderby=[SQL > injection]&order=[SQL injection] > http://localhost/wp-admin/edit-tags.php?taxonomy=category&orderby=[SQL > injection]&order=[SQL injection] > > > 2) The get_bookmarks() function declared in the > wp-includes/bookmark.php file does not properly validate user input, > allowing an attacker with "Editor" privileges to inject arbitrary SQL > commands in the "orderby" and "order" parameters passed as array > members to the vulnerable function when sorting links. > > The following URL could be used to perform blind SQL injection attacks: > > http://localhost/wp-admin/link-manager.php?orderby=[SQL > injection]&order=[SQL injection] > > > Vulnerable / tested versions: > ----------------------------- > The vulnerability has been verified to exist in version 3.1.3 of > WordPress, which is the most recent version at the time of discovery. > > > Vendor contact timeline: > ------------------------ > 2011-06-22: Contacting vendor through security@xxxxxxxxxxxxx > 2011-06-22: Vendor reply, sending advisory draft > 2011-06-23: Vendor confirms security issue > 2011-06-30: Vendor releases patched version > 2011-07-01: SEC Consult publishes advisory > > > > Solution: > --------- > Upgrade to version 3.1.4 or 3.2-RC3 > > > Workaround: > ----------- > A more restrictive role, e.g. "Author", could be applied to the user. > > > > Advisory URL: > ------------- > https://www.sec-consult.com/en/advisories.html > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > SEC Consult Unternehmensberatung GmbH > > Office Vienna > Mooslackengasse 17 > A-1190 Vienna > Austria > > Tel.: +43 / 1 / 890 30 43 - 0 > Fax.: +43 / 1 / 890 30 43 - 25 > Mail: research at sec-consult dot com > https://www.sec-consult.com > > EOF K. Gudinavicius / @2011 Does Wordpress people know if this issue has CVE-identifier already? At least author of the advisory didn't request one nor did I could find one from lists / web. References: http://secunia.com/advisories/45099/ http://wordpress.org/news/2011/06/wordpress-3-1-4/ This is also not listed in osvdb, which I can handle after we receive CVE-identifier. Best regards, Henri Salo
