SQL Injection in Wordpress 2.1.1
Upgrading to wordpress 2.1.1 was urgent, but we still have SQL injections, path disclosures and cross site scripting problems in this version! My colleague Sebastian Krause has some examples:
a) Path disclosure (should be fixed in 2.0.2?):
http://BLOGURL/wp-settings.php
b) SQL injections in search form. Put a “,” or “+” or ” ” in the search box or use this URL (this is new in 2.1.1):
http://BLOGURL/index.php?s=%2C
c) XSS 
:
http://BLOGURL/index.php?s='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
d) SQL injection in ‘where’ clause (should be fixed earlier?):
http://BLOGURL/index.php?m[]‘
There is a ticket with just one bug open http://trac.wordpress.org/ticket/3722 based on the original post
Update:
there are even more vulns in wp-admin.php: http://www.fadetoblack.ch/advisories/
wordpress_2.1.1_multiple_script_injection_vulnerabilities.txt
and some AdminPanel CSRF/XSS issues: http://seclists.org/bugtraq/2007/Feb/0494.html
March 2nd, 2007 at 23:51
Wordpress 2.1.1 with backdoor…
Wordpress security warning! “If you downloaded WordPress 2.1.1 from wordpredd.org within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately”…
March 3rd, 2007 at 13:46
Wordpress 2.1.1: Infizierte Originaldateien…
Alle Wordpress-User, die sich die Version 2.1.1 in den letzten vier Tagen von Wordpress.org gedownloaded haben, sollten schnellstens auf 2.1.2 updaten, da die Original-Dateien gehackt wurden!
Kein Scherz, ein Blick in den Wordpress-Blog zeigt’s:
…