Elliott C. Back: Internet & Technology

Wordpress 1.5.2 Security Flaw

Posted in Blogging, Code, Computers & Technology, My Blog, Security by Elliott Back on March 6th, 2006.

The Gentoo people noticed this SQL escaping bug in Wordpress 1.5.2, which I use to power this blog:

I found the latest stable version of Wordpress (1.5.2) vulnerable to SQL injection. The application is vulnerable as the user_agent HTTP header is not properly escaped when submitting a comment to an article.

In order to trigger the issue:

1. Add a ‘ into the user agent value of your browser alternatively use a proxy such as paros (www.parosproxy.org) to manipulate the HTTP header.

2. Add a new comment containing anything

3. The application will return an error message when trying to perform the INSERT INTO wp_comments.

Fortunately, this sequence will not be triggered if the comments are set to go straight to moderation. I first saw this reported here. I was unable to reproduce this bug on any of my blogs, however, so it may simply be a big bug scare…

This entry was posted on Monday, March 6th, 2006 at 4:30 pm and is tagged with latest stable version, security flaw, gentoo, moderation, error message, scare, sql, http header, blogs, blog. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

2 Responses to “Wordpress 1.5.2 Security Flaw”

  1. Aaron says:
    3/9/2006 at 7:12 am

    The bug is a red herring. It can only be exploited under special circumstances and only if the exploiter is logged in as admin.

    Reply
  2. Justin says:
    3/8/2006 at 8:13 am

    Thanks for the update!!

    Reply
 

Leave a Reply

Powered by WP Hashcash