[Full-disclosure] Wordpress 2.1.2 xmlrpc Vulnerabilities

[Sumit Siddharth]

Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:

*Affected Versions*: These issues were reported in version 2.1.2 and its
very likely that previous versions may also be vulnerable.

1.* Privilidge Escalation*:

Under normal circumstances (through web interface) a user in contributor
role only has access to following functions:

a. read
b. edit_posts

functionality 'publish_posts' is restricted to users in the author, editor
or administrator roles. However, this is not implemented in xmlrpc.php and
this allows a user in the contributor roles to publish a previously saved
post to the website.

No exploit code is required.

2. *SQL Injection*:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to
the backend database which results in a Sql injection. Exploiting this is
pretty trivial. As, it is an integer based injection, it works irrespective
of the setting "magic quote".  I wrote a Simple Proof Of Concept for this.
Download Exploit<http://www.notsosecure.com/folder2/wp-content/uploads/2007/04/wp-xmlrpc-sql.pl>
—————————————————–

*Successful Exploitation* of this will give you usernames and md5 hash of
password of all users including admin user. Once you have the admin user
hash needless to say you can create a php backdoor and that essentialy is
game over.

**[image: :-)]

*Workaround*:
1. Disable xmlrpc if you dont use it or restrict its access to trusted users
only.

*Vendor's response:*
1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007

-- 
Sumit Siddharth
www.notsosecure.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070405/30403b77/attachment.html