[Full-disclosure] Wordpress 2.1.2 xmlrpc Vulnerabilities

["Sumit Siddharth" <sumit.siddharth@xxxxxxxxx>]

Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:

*Affected Versions*: These issues were reported in version 2.1.2 and its
very likely that previous versions may also be vulnerable.

1.* Privilidge Escalation*:

Under normal circumstances (through web interface) a user in contributor
role only has access to following functions:

a. read
b. edit_posts

functionality 'publish_posts' is restricted to users in the author, editor
or administrator roles. However, this is not implemented in xmlrpc.php and
this allows a user in the contributor roles to publish a previously saved
post to the website.

No exploit code is required.

2. *SQL Injection*:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to
the backend database which results in a Sql injection. Exploiting this is
pretty trivial. As, it is an integer based injection, it works irrespective
of the setting "magic quote".  I wrote a Simple Proof Of Concept for this.
Download 
Exploit<http://www.notsosecure.com/folder2/wp-content/uploads/2007/04/wp-xmlrpc-sql.pl>
—————————————————–

*Successful Exploitation* of this will give you usernames and md5 hash of
password of all users including admin user. Once you have the admin user
hash needless to say you can create a php backdoor and that essentialy is
game over.

**[image: :-)]

*Workaround*:
1. Disable xmlrpc if you dont use it or restrict its access to trusted users
only.

*Vendor's response:*
1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007

--
Sumit Siddharth
www.notsosecure.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/