[wp-trac] [WordPress Trac] #4690: Wordpress options.php SQL
Injection Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Tue Jul 31 20:07:37 GMT 2007
#4690: Wordpress options.php SQL Injection Vulnerability
-----------------------------+----------------------------------------------
Reporter: BenjaminFlesch | Owner: anonymous
Type: defect | Status: new
Priority: highest omg bbq | Milestone:
Component: Security | Version: 2.2.1
Severity: critical | Keywords:
-----------------------------+----------------------------------------------
Read here
http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm/
beginning from the second point, in short:
in options.php the parameter page_options isnt filtered, patch:
case 'update':
$any_changed = 0;
check_admin_referer('update-options');
* if ( preg_match("/['\"<>]/", $_POST['page_options']) )
* wp_die(__('Cheatin’ uh?'));
add the lines marked with a star in options.php.
Additionally, because of this Persistant XSS and information disclosure by
opening options.php directly in the browser may occur. Better stop the
database dump.
--
Ticket URL: <http://trac.wordpress.org/ticket/4690>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list