Serial: Java .Net Mono FreeBSD Erlang

« May 2005 | Main | October 2005 »

June 20, 2005

Whois Spam

Looks like whois is now even prone to spam. Look at what google.com returns:

me@server$ whois google.com

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

GOOGLE.COM.ZZZZ.DNSW.COM
GOOGLE.COM.VN
GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM
GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET
GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM
GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM
GOOGLE.COM.AU
GOOGLE.COM

To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.

Posted by 0xFF3300 at 01:13 PM | Comments (0) | TrackBack

June 01, 2005

Wordpress 1.5 SQL-Injection Attack

The most critical vulnerability in the 1.5 release of wordpress is an
SQL-Injection in `wp-trackback.php'. It's not easily exploitable
because you do not get a result when you inject a valid query but it's
possible to bruteforce values in the tables - for example the password
hashes.

Here some details:
The parameter `tb_id' in `wp-trackback.php' is not validated correctly
and there are no quotes in the SQL-query so an attacker is able to
insert sql commands.

$pingstatus = $wpdb->get_var("SELECT ping_status FROM $wpdb->posts
WHERE ID = $tb_id");

Example: (I converted the POST-request into a GET-request.)

> $tb_id = 1 union select user_pass,0 from wp_users
> $url = bla
> $title = bla

wp_users&url=bla&title=bla>

By injecting this query I get following databae error:

> WordPress database error:
> [The used SELECT statements have a different number of columns]
> SELECT ping_status FROM wp_posts WHERE ID = 1 union select 0,
> user_pass from wp_users

When I insert "1 union select user_pass from wp_users" as value for
`tb_id' I get no error message because the query was well-formed -
logical. Through the possibility to insert any sql-command it's
possible to 'reconstruct' values of the tables.

o XSS:
=====

o Disclosure Timeline:
=====================

17 Apr 05 - Security flaws discovered.
19 Apr 05 - Vendor contacted.
10 May 05 - Vendor released bugfixed version.
17 May 05 - Public release.

o Solution:
==========

Upgrade to wordpress 1.5.1 [1]

o Credits:
=========

Thomas Waldegger
BuHa-Security Community - http://buha.info/board/

Posted by 0xFF3300 at 07:21 AM | Comments (0) | TrackBack