<br clear="all"><div id="mb_0"><p>Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:</p>
<p><strong>Affected Versions</strong>: These issues were reported in
version 2.1.2 and its very likely that
previous versions may also be vulnerable.</p>
<p>1.<strong> Privilidge Escalation</strong>:</p>
<p>Under normal circumstances (through web interface) a user in contributor role only has access to following functions:</p>
<p>a. read<br>
b. edit_posts</p>
<p>functionality 'publish_posts' is restricted to users in the author,
editor or administrator roles. However, this is not implemented in
xmlrpc.php and this allows a user in the contributor roles to publish a
previously saved post to the website.</p>
<p>No exploit code is required.</p>
<p>2. <strong>SQL Injection</strong>:</p>
<p>This is only exploitable by authenticated users.<br>
The post_id parameter is not properly sanitized before passing its
value to the backend database which results in a Sql injection.
Exploiting this is pretty trivial. As, it is an integer based
injection, it works irrespective of the setting "magic quote". I
wrote a Simple Proof Of Concept for this.<br>
<a href="http://www.notsosecure.com/folder2/wp-content/uploads/2007/04/wp-xmlrpc-sql.pl" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Download Exploit</a><br>
覧覧覧覧覧覧覧覧蘭<br>
<br></p>
<p><strong>Successful Exploitation</strong> of this will give you
usernames and md5 hash of password of all users including admin user.
Once you have the admin user hash needless to say you can create a php
backdoor and that essentialy is game over. </p>
<p><strong></strong><img alt=":-)"> </p>
<p><strong>Workaround</strong>:<br>1. Disable xmlrpc if you dont use it or restrict its access to trusted users only.</p>
<p><strong>Vendor's response:</strong><br>
1. vendor notified on 22nd March 2007.<br>
2. New Version released on 2nd April 2007.<br>
3. Advisory released on 2nd April 2007</p>
</div><br>-- <br>Sumit Siddharth<br><a href="http://www.notsosecure.com">www.notsosecure.com</a><br><br>