I'm currently using wordpress 2.0.2, I've been trying all of these
and have not noticed any of these working what so ever. It just
pulls up my 404 page. I am also not using the default permalink
structure, but rather date and name structure.

Just a little more information on this issue.

-nate

On Jul 12, 2006, at 8:22 PM, Aaron Newman wrote:

> I don't believe it is SQL Injection. I'm looking at version 2.0.3.
>
> The number placed in the query string does factor into the value
> inserted
> into the SQL statement. Here is another example:
>
> http://10.11.11.110/wordpress/index.php?paged=-1000
>
> WordPress database error: [You have an error in your SQL syntax;
> check the
> manual that corresponds to your MySQL server version for the right
> syntax to
> use near '-10010, 10' at line 1]
> SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
> '2006-07-13
> 02:54:59' AND (post_status = "publish" OR post_author = 1 AND
> post_status !=
> 'draft' AND post_status != 'static') AND post_status !=
> "attachment" GROUP
> BY wp_posts.ID ORDER BY post_date DESC LIMIT -10010, 10
>
> Note that the paged value is factored into the first argument of
> the LIMIT
> clause. Definition of LIMIT from the MySQL website:
> "The LIMIT clause can be used to constrain the number of rows
> returned by
> the SELECT statement. LIMIT takes one or two numeric arguments,
> which must
> both be non-negative integer constants (except when using prepared
> statements).
>
> With two arguments, the first argument specifies the offset of the
> first row
> to return, and the second specifies the maximum number of rows to
> return.
> The offset of the initial row is 0 (not 1):
>
> SELECT * FROM tbl LIMIT 5,10; # Retrieve rows 6-15"
>
> The error is actually happening because the first argument to limit
> can not
> be negative.
>
> This database call is generated in the file /wp-includes/classes.php
>
> Here it is:
>
> function &get_posts() {
> <snip>
> // Paging
> if (empty($q['nopaging']) && ! $this->is_single && !
> $this->is_page) {
> $page = $q['paged'];
> if (empty($page)) {
> $page = 1;
> }
>
> if (($q['what_to_show'] == 'posts')) {
> $pgstrt = '';
> $pgstrt = (intval($page) -1) *
> $q['posts_per_page'] . ', ';
> $limits = 'LIMIT
> '.$pgstrt.$q['posts_per_page'];
>
> In the last line, its inserting $pgstrt into the LIMIT clause.
> $pgstrt is
> set to the intval of the value submitted to the querystring - 1
> multiplied
> by the posts_per_page. According to the PHP documentation, "intval
> return
> value: The integer value of var on success, or 0 on failure." So if
> you put
> a string into $page, you are still going to get back 0, so I see no
> way of
> inserting text, spaces, or anything useful for SQL Injection in this
> particular place.
>
> Looking at this code, another opportunity for SQL injection would
> arise from
> manipulating posts_per_page. A quick scan through the code doesn't
> look like
> manipulating posts_per_page is obvious.
>
> I wonder how much security research has been done on this function.
> It looks
> pretty complicated which leaves a real opportunity for SQL
> injection to
> popup somewhere.
>
>
> Another interesting security issue I just came across with the login
> process. A failed login tells you whether it was a bad username or
> password.
> Sybase ASE 11.0 exhibited the same behavior, but they fixed it in a
> dot
> release. Oracle 8i did the same thing (although very subtely). This
> is great
> for making the end user's life easier, but it makes 1 factor
> authentication
> (passwords) even weaker then it already is (would you call it 1/2
> factor
> authentication?).
>
> It would be trivial to write a Perl script to brute-force usernames
> making a
> password attack a factor easier. Then another Perl script to brute-
> force the
> password for any discovered username. Coupled with no password
> lockout on
> Wordpress, I'll bet password attacks are way too effective on
> Wordpress.
>
> Regards,
> Aaron C. Newman
> aaroncharlesnewman (at) yahoo (dot) com [email concealed]
>
>
>
>
>
>
> -----Original Message-----
> From: zck zck [mailto:zckzck (at) gmail (dot) com [email concealed]]
> Sent: Wednesday, July 12, 2006 3:24 AM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Re: WordPress 2.0.3 SQL Error and Full Path Disclosure
>
> Isn't this actually an SQL Injection rather than information leakage?
>
> Try :
> http://localhost/wordpress/index.php?paged=%27
>
> I mean, the error message (this time in English) is:
> WordPress database error: [You have an error in your SQL syntax;
> check the
> manual that corresponds to your MySQL server version for the right
> syntax to
> use near '-10, 10' at line 1]
>
> It specifically says that "You have an error in your SQL syntax",
> which
> means my input goes into the query...
>
> -----Original Message-----
> From: xzerox (at) linuxmail (dot) org [email concealed] [mailto:xzerox (at) linuxmail (dot) org [email concealed]]
> Sent: Sunday, July 02, 2006 12:15
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: WordPress 2.0.3 SQL Error and Full Path Disclosure
>
> WordPress 2.0.3 SQL Error and Full Path Disclosure Discovered By zero
> [Moroccan Security Team]
> Software: WordPress 2.0.3
> Site : www.wordpress.org
>
> ~ SQL Error ~
>
> Example:
>
> http://localhost/wordpress/index.php?paged=-1
>
> Result:
>
> WordPress database error: [Erreur de syntaxe pr?s de '-20, 10' ? la
> ligne 1]
> SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <=
> '2006-06-29 12:46:59' AND (post_status = "publish") AND post_status !=
> "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT
> -20, 10
>
>
> ~ Full path ~
>
> /wp-settings.php
> /wp-admin/admin-footer.php
> /wp-admin/admin-functions.php
> /wp-admin/edit-form.php
> /wp-admin/edit-form-advanced.php
> /wp-admin/edit-form-comment.php
> /wp-admin/edit-link-form.php
> /wp-admin/edit-page-form.php
> /wp-admin/menu.php
> /wp-admin/menu-header.php
> /wp-admin/upgrade-functions.php
> /wp-admin/upgrade-schema.php
> /wp-admin/import/blogger.php
> /wp-admin/import/dotclear.php
> /wp-admin/import/livejournal.php
> /wp-admin/import/mt.php
> /wp-admin/import/rss.php
> /wp-admin/import/textpattern.php
> /wp-content/plugins/hello.php
> /wp-content/plugins/wp-db-backup.php
> /wp-content/plugins/akismet/akismet.php
> /wp-content/themes/classic/index.php
> /wp-content/themes/classic/comments.php
> /wp-content/themes/classic/comments- popup.php
> /wp-content/themes/classic/footer.php
> /wp-content/themes/classic/header.php
> /wp-content/themes/classic/sidebar.php
> /wp-content/themes/default/index.php
> /wp-content/themes/default/404.php
> /wp-content/themes/default/archive.php
> /wp-content/themes/default/archives.php
> /wp-content/themes/default/attachment.php
> /wp-content/themes/default/comments-popup.php
> /wp-content/themes/default/footer.php
> /wp-content/themes/default/functions.php
> /wp-content/themes/default/header.php
> /wp-content/themes/default/links.php
> /wp-content/themes/default/page.php
> /wp-content/themes/default/search.php
> /wp-content/themes/default/searchform.php
> /wp-content/themes/default/sidebar.php
> /wp-content/themes/default/single.php
> /wp-includes/default-filters.php
> /wp-includes/kses.php
> /wp-includes/locale.php
> /wp-includes/rss-functions.php
> /wp-includes/template-loader.php
> /wp-includes/vars.php
> /wp-includes/wp-db.php
>
>
> Greetz:
>
> simo64, tahati, net_ghost, dabdoub, simo dreaminfo, iss4m, zerosecure,
> hunter, themenotor ...
>
> Contact:
>
> Author: Mourad [ zero ]
> Email : xzerox(at)linuxmail(dot)org

[ reply ]