WordPress rawurlencode Vulnerability
January 15th, 2007 
Comments(2)
Comments(2)
Intro
xy7 found an information disclosure vulnerability in WordPress <= 2.0.6.
It looks like this vulnerability is limited to information leakage only. If you want to test your WP installation see below.
Test if you are vulnerable (most likely):
http://my_wordpress/index.php?m[]=
OR
http://my_wordpress/?m[]=
Temporary fix:
Note: Always make backups before making any changes.
As a temporary fix we ensure that the input being passed to the rawurlencode function is a string and not an array which is what is causing the problems.
- edit wp-includes/classes.php
- Go to line 1663
- The line should look like this:
if (isset($this->query_vars[$wpvar]) && ” != $this->query_vars[$wpvar]) { - Add the following (after the above-mentioned line):
if(!is_string($this->query_vars[$wpvar])) {
$this->query_vars[$wpvar] = ‘fixed’;
}
Summary
If I hear of WordPress releasing an official patch I will update this post.