WordPress <= 3.0.1 Authenticated SQL Injection 0day [Patched]
WordPress 2.x – 3.0.1 is vulnerable to an authenticated SQL injection 0day. A lack of proper input validation in the do_trackbacks() function of wp-includes/comment.php allows any logged-in user with publish_posts and edit_published_posts privileges (Author group) to execute arbitrary SELECT SQL queries on the database.
This vulnerability can be exploited by entering a specially-crafted string into the Send Trackbacks field when editing a post. The effect of exploitation is that the user may be able to extract arbitrary information, such as usernames and password hashes, from the database.
What this means to WordPress users:
- If you are the only user (post author) on your blog, then you don’t have to worry.
- If you have other users Author privileges, then they could use this to extract information from your database (including your password hash).
- You can temporarily mitigate this by revoking Author privileges from any users you don’t fully trust.
- All WordPress users are encouraged to update to version 3.0.2 which patches this vulnerability.
See this post for full details.
Bobby Tables: A Guide to Preventing SQL Injection
Just came across Bobby-tables.com whilst Stumbling through the ether that is the interwebs.
Source: XKCD
The aim of the site is to educate software developers (or anyone else interested in development) in the proper manner in which input should be validated prior to being passed into database queries. There are examples for ASP, ColdFusion, C#, Delphi, .NET, Java, Perl, PHP, PostgreSQL, Python, Ruby, and Schema… what, no COBOL?!
Their core recommendations are sound:
- Do not create SQL statements that include outside data.
- Use parameterized SQL calls.
Useful resource. Just thought I’d share.
Loading ...
