Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

WordPress 2.0.3 SQL Error and Full Path Disclosure

1 view
Skip to first unread message

xze...@linuxmail.org

unread,
Jul 3, 2006, 1:17:41 PM7/3/06
to
WordPress 2.0.3 SQL Error and Full Path Disclosure
Discovered By zero [Moroccan Security Team]
Software: WordPress 2.0.3
Site : www.wordpress.org

~ SQL Error ~

Example:

http://localhost/wordpress/index.php?paged=-1

Result:

WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la ligne 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2006-06-29 12:46:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -20, 10


~ Full path ~

/wp-settings.php
/wp-admin/admin-footer.php
/wp-admin/admin-functions.php
/wp-admin/edit-form.php
/wp-admin/edit-form-advanced.php
/wp-admin/edit-form-comment.php
/wp-admin/edit-link-form.php
/wp-admin/edit-page-form.php
/wp-admin/menu.php
/wp-admin/menu-header.php
/wp-admin/upgrade-functions.php
/wp-admin/upgrade-schema.php
/wp-admin/import/blogger.php
/wp-admin/import/dotclear.php
/wp-admin/import/livejournal.php
/wp-admin/import/mt.php
/wp-admin/import/rss.php
/wp-admin/import/textpattern.php
/wp-content/plugins/hello.php
/wp-content/plugins/wp-db-backup.php
/wp-content/plugins/akismet/akismet.php
/wp-content/themes/classic/index.php
/wp-content/themes/classic/comments.php
/wp-content/themes/classic/comments-popup.php
/wp-content/themes/classic/footer.php
/wp-content/themes/classic/header.php
/wp-content/themes/classic/sidebar.php
/wp-content/themes/default/index.php
/wp-content/themes/default/404.php
/wp-content/themes/default/archive.php
/wp-content/themes/default/archives.php
/wp-content/themes/default/attachment.php
/wp-content/themes/default/comments-popup.php
/wp-content/themes/default/footer.php
/wp-content/themes/default/functions.php
/wp-content/themes/default/header.php
/wp-content/themes/default/links.php
/wp-content/themes/default/page.php
/wp-content/themes/default/search.php
/wp-content/themes/default/searchform.php
/wp-content/themes/default/sidebar.php
/wp-content/themes/default/single.php
/wp-includes/default-filters.php
/wp-includes/kses.php
/wp-includes/locale.php
/wp-includes/rss-functions.php
/wp-includes/template-loader.php
/wp-includes/vars.php
/wp-includes/wp-db.php


Greetz:

simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure, hunter, themenotor ...

Contact:

Author: Mourad [ zero ]
Email : xzerox(at)linuxmail(dot)org

James Davis

unread,
Jul 4, 2006, 12:38:44 PM7/4/06
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

xze...@linuxmail.org wrote:

> ~ Full path ~
>
> /wp-settings.php

...
> /wp-includes/wp-db.php

I think you'll find that this isn't the full path to your Wordpress
installation. Nor has it disclosed any information that's not contained
within the directory structure of the Wordpress tarball.

Regards,

James

- --
James Davis +44 1235 822 229 PGP: 0xC7C92EB7
JANET-CERT 0870 850 2340 (+44 1235 822 340)
Atlas Centre, Chilton, Didcot, Oxfordshire, OX11 0QS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEqhNdIle3s8fJLrcRAnEdAKCpv7sHnSAUGAb0gu73o3dLQ2NLsgCgwnyQ
24wyJcTvppMc8iotCdybJIw=
=ke0P
-----END PGP SIGNATURE-----

Jaroslaw Sajko

unread,
Jul 4, 2006, 3:58:59 PM7/4/06
to
Dnia 02-07-2006, nie o godzinie 09:15 +0000, xze...@linuxmail.org
napisał(a):

> Example:
>
> http://localhost/wordpress/index.php?paged=-1
>
> Result:
>
> WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la ligne 1]
> SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2006-06-29 12:46:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -20, 10

Put this line somewhere in the wp-settings.php file (for example at the
end of the code before the do_action(init) call):

$wpdb->hide_errors();


>
> ~ Full path ~
>
> /wp-settings.php

> /wp-admin/admin-footer.php
> /wp-admin/admin-functions.php
> /wp-admin/edit-form.php

in line 60 of wp-settings.php change to:

error_reporting(0);

Now the World is safe.

--
js


zck zck

unread,
Jul 12, 2006, 7:33:57 PM7/12/06
to
Isn't this actually an SQL Injection rather than information leakage?

Try :
http://localhost/wordpress/index.php?paged=%27

I mean, the error message (this time in English) is:
WordPress database error: [You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near '-10, 10' at line 1]

It specifically says that "You have an error in your SQL syntax",
which means my input goes into the query...

-----Original Message-----
From: xze...@linuxmail.org [mailto:xze...@linuxmail.org]
Sent: Sunday, July 02, 2006 12:15
To: bug...@securityfocus.com
Subject: WordPress 2.0.3 SQL Error and Full Path Disclosure

WordPress 2.0.3 SQL Error and Full Path Disclosure
Discovered By zero [Moroccan Security Team]
Software: WordPress 2.0.3
Site : www.wordpress.org

~ SQL Error ~

Example:

http://localhost/wordpress/index.php?paged=-1

Result:

WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la
ligne 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
'2006-06-29 12:46:59' AND (post_status = "publish") AND post_status !=
"attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -20, 10


~ Full path ~

/wp-settings.php
/wp-admin/admin-footer.php
/wp-admin/admin-functions.php
/wp-admin/edit-form.php

0 new messages