[Full-disclosure] Wordpress 2.1.2 xmlrpc Vulnerabilities

Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:

Affected Versions: These issues were reported in version 2.1.2 and its
very likely that previous versions may also be vulnerable.

1.* Privilidge Escalation*:

Under normal circumstances (through web interface) a user in contributor
role only has access to following functions:

a. read
b. edit_posts

functionality 'publish_posts' is restricted to users in the author, editor
or administrator roles. However, this is not implemented in xmlrpc.php and
this allows a user in the contributor roles to publish a previously saved
post to the website.

No exploit code is required.

2. SQL Injection:

This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to
the backend database which results in a Sql injection. Exploiting this is
pretty trivial. As, it is an integer based injection, it works irrespective
of the setting "magic quote". I wrote a Simple Proof Of Concept for this.
Download Exploit<http://www.notsosecure.com/folder2/wp-content/uploads/2007/04/wp-xmlrpc-sql.pl&gt;
—————————————————–

Successful Exploitation of this will give you usernames and md5 hash of
password of all users including admin user. Once you have the admin user
hash needless to say you can create a php backdoor and that essentialy is
game over.

**[image: :-)]

Workaround:

1. Disable xmlrpc if you dont use it or restrict its access to trusted users
   only.

Vendor's response:

1. vendor notified on 22nd March 2007.
2. New Version released on 2nd April 2007.
3. Advisory released on 2nd April 2007

–
Sumit Siddharth
www.notsosecure.com