Wordpress Security Update

Friday, January 5. 2007

Friday, January 5. 2007



For all those not reading security mailinglists. It is time to upgrade your WordPress blog (if you are among those, not using Serendipity). Today WordPress 2.0.6 was released that fixes several security vulnerabilities. Among these security fixes are two dangerous vulnerabilities reported by us.


The first vulnerability is an XSS (Cross Site Scripting) hole in WordPress's own CSRF protection. [READ MORE]


And the second vulnerability is a very interesting SQL injection. Very interesting, because it abuses charset conversion support to bypass the database escaping routines. Our demo exploit uses UTF-7. [READ MORE]



Both vulnerabilities have the potential to compromise the admin account, which in case of WordPress might allow arbitrary PHP code execution due to WordPress features.

Posted by Stefan Esser in Security, PHP at 21:42
Comments (10)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 more details ()
That was quick:
http://www.flickr.com/photos/soul4bblade/
posted on Friday, January 5. 2007
#2 Mark Jaquith wrote (Link) ()
Thanks for your help with this, Stefan. The mb one was fascinating to me -- excellent catch.
posted on Saturday, January 6. 2007
#3 zmx ()
Hi Stefan.
This sql injection exploit is working even if magic_qoutes is enabled?
I was thinking that a simple quote (') is not changed when UTF-7 encoded.
posted on Saturday, January 6. 2007
#3.1 Stefan Esser wrote (Link) ()
It is not necessary to encode a single quote in UTF-7. However it is possible.

The UTF-7 encoding for a single quote is for example +ACc- which of course goes through all escaping.
posted on Saturday, January 6. 2007
#3.1.1 zmx ()
Thanks for the information.
It seems that I'm doing something wrong. Will look more into it.
I'm not trying to publish an exploit, just curious about the exploitation.
You found some very interesting problems :-)
posted on Saturday, January 6. 2007
#4 Cristian Rodriguez wrote (Link) ()
thanks Stefan, I updated one of the few WP blogs I need to mantain, but I wont use it for myself.. it's codebase cause me ..hrmmm.. some disgusting sensations.. ;-)

Ohh..btw.. the sql injection exploit is very.very interesting..gonna study it ;-)
posted on Sunday, January 7. 2007
#5 fwolf wrote (Link) ()
do you know if this also affects WordPress MU aka Multiuser WordPress? I'm currently thinking about setting up its latest version at some of my sites to reduce the work I have to do to update each single install of WP.

thanks in advance,
cu, w0lf.
posted on Sunday, January 7. 2007
#6 zmx ()
The exploit was leaked?
http://www.milw0rm.org/exploits/3095
posted on Monday, January 8. 2007
#6.1 Stefan Esser wrote (Link) ()
Well now seems the best time to upgrade WordPress.
posted on Monday, January 8. 2007
#6.1.1 fwolf wrote (Link) ()
looks like as if the WP folks already reacted to this bug and tried to fix it.

=> see latest news on wp-weblog

cu, w0lf
posted on Tuesday, January 16. 2007

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

Submitted comments will be subject to moderation before being displayed.
 
Calendar
Back September '09
Mon Tue Wed Thu Fri Sat Sun
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30        
Archives
September 2009
August 2009
July 2009
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP