WordPress rawurlencode Vulnerability

Posted by dk

January 15, 2007

Intro

xy7 found an information disclosure vulnerability in WordPress <= 2.0.6.

It looks like this vulnerability is limited to information leakage only. If you want to test your WP installation see below.

Test if you are vulnerable (most likely):

http://my_wordpress/index.php?m[]=
OR
http://my_wordpress/?m[]=

Temporary fix:

Note: Always make backups before making any changes.
As a temporary fix we ensure that the input being passed to the rawurlencode function is a string and not an array which is what is causing the problems.

edit wp-includes/classes.php
Go to line 1663
The line should look like this:
if (isset($this->query_vars[$wpvar]) && ” != $this->query_vars[$wpvar]) {
Add the following (after the above-mentioned line):
if(!is_string($this->query_vars[$wpvar])) {
$this->query_vars[$wpvar] = ‘fixed’;
}

Summary

If I hear of WordPress releasing an official patch I will update this post.

Alerts

No Related Post

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Pingback by :: ×ž×™×•×ž× ×™×• ×©×œ ×œ×§×•×— :: » ××¨×›×™×•×Ÿ » ×¢×•×“ ×©×‘×•×¢ ×¢×•×“ ×ª×™×§×•×Ÿ on 15 January 2007 @ 5:02 pm

[...] ×‘×•×•×¨×“×¤×¨×¡. ×”×¤×¢× ×ž×“×•×‘×¨ ×‘×‘×§×©×ª HTTP ×©×¢×©×•×™×” ×œ×©×ž×© ×œ×—×©×™×¤×ª ×ž×™×“×¢ ×ž×•×•×¨×“×¤×¨×¡. ×›×œ ×”×’×¨×¡××•×ª, ×›×•×œ×œ 2.0.5 ×”×ž×¢×•×‘×¨×ª×ª, ×•-2.0.6 ×”×œ×, ×—×©×•×¤×•×ª. [...]

Pingback by ×•×•×¨×“×¤×¨×¡ ×¢×‘×¨×™×ª » ××¨×›×™×•×Ÿ » ×¢×•×“ ×¤×¨×¦×ª ××‘×˜×—×” : ×—×©×•×‘ ×œ×¢×“×›×Ÿ ××ª ×•×•×¨×“×¤×¨×¡ on 15 January 2007 @ 9:23 pm

WordPress rawurlencode Vulnerability

Intro

Test if you are vulnerable (most likely):

Temporary fix:

Summary

Leave a comment

Search

Archives

Categories

Recent Posts

Useful References

Links

Favourites