[wp-trac] Re: [WordPress Trac] #7710: admin account exploit
WordPress Trac
wp-trac at lists.automattic.com
Mon Sep 8 15:20:33 GMT 2008
#7710: admin account exploit
-----------------------------+----------------------------------------------
Reporter: jeremyclark13 | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.6.2
Component: Security | Version: 2.6.1
Severity: critical | Resolution:
Keywords: milworm exploit |
-----------------------------+----------------------------------------------
Changes (by Otto42):
* milestone: => 2.6.2
Comment:
Supporting info:
http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-
vulnerabilities/
Basic problem: mySQL will consider "admin" = "admin(55 spaces)x" because
it doesn't do binary comparisons on the data when the column is a string
type, so the spaces are truncated off (as is the x, due to the length
limit on the column).
Looks like `ALTER TABLE wp_users DROP INDEX user_login_key , ADD UNIQUE
user_login_key ( user_login )` would prevent it, to me. With a unique
index, the insert of the new "admin(spaces)x" user would fail because of
the comparison as well. And the user_login name should be unique anyway.
--
Ticket URL: <http://trac.wordpress.org/ticket/7710#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list