Wordpress 2.1.2 xmlrpc Multiple Vulnerabilities:
Affected Versions: These issues were reported in version 2.1.2 and its
very likely that previous versions may also be vulnerable.
1.* Privilidge Escalation*:
Under normal circumstances (through web interface) a user in contributor
role only has access to following functions:
a. read
b. edit_posts
functionality 'publish_posts' is restricted to users in the author, editor
or administrator roles. However, this is not implemented in xmlrpc.php and
this allows a user in the contributor roles to publish a previously saved
post to the website.
No exploit code is required.
This is only exploitable by authenticated users.
The post_id parameter is not properly sanitized before passing its value to
the backend database which results in a Sql injection. Exploiting this is
pretty trivial. As, it is an integer based injection, it works irrespective
of the setting "magic quote". I wrote a Simple Proof Of Concept for this.
Download Exploit<http://www.notsosecure.com/folder2/wp-content/uploads/2007/04/wp-xmlrpc-sql.pl>
—————————————————–
Successful Exploitation of this will give you usernames and md5 hash of
password of all users including admin user. Once you have the admin user
hash needless to say you can create a php backdoor and that essentialy is
game over.
**[image: :-)]
Workaround:
Vendor's response:
–
Sumit Siddharth
www.notsosecure.com