Vulnerabilities > CVE-2005-1687 - Unspecified vulnerability in Wordpress 1.5
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN wordpress
nessus
Summary
SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200506-04.NASL description The remote host is affected by the vulnerability described in GLSA-200506-04 (Wordpress: Multiple vulnerabilities) Due to a lack of input validation, WordPress is vulnerable to SQL injection and XSS attacks. Impact : An attacker could use the SQL injection vulnerabilities to gain information from the database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim last seen 2020-06-01 modified 2020-06-02 plugin id 18427 published 2005-06-07 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18427 title GLSA-200506-04 : Wordpress: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200506-04. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(18427); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-1102", "CVE-2005-1687", "CVE-2005-1810"); script_xref(name:"GLSA", value:"200506-04"); script_name(english:"GLSA-200506-04 : Wordpress: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200506-04 (Wordpress: Multiple vulnerabilities) Due to a lack of input validation, WordPress is vulnerable to SQL injection and XSS attacks. Impact : An attacker could use the SQL injection vulnerabilities to gain information from the database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200506-04" ); script_set_attribute( attribute:"solution", value: "All Wordpress users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/wordpress-1.5.1.2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:wordpress"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/06/07"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/wordpress", unaffected:make_list("ge 1.5.1.2"), vulnerable:make_list("lt 1.5.1.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Wordpress"); }NASL family CGI abuses NASL id WORDPRESS_151.NASL description The version of WordPress installed on the remote host is affected by multiple vulnerabilities : - The application is affected by a SQL injection vulnerability because it fails to properly sanitize user-supplied input passed via the last seen 2020-06-01 modified 2020-06-02 plugin id 18301 published 2005-05-19 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18301 title WordPress < 1.5.1 Multiple Vulnerabilities code # # Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18301); script_version("1.18"); script_cvs_date("Date: 2018/08/07 16:46:49"); script_cve_id("CVE-2005-1687", "CVE-2005-1688"); script_bugtraq_id(13655, 13663, 13664); script_name(english:"WordPress < 1.5.1 Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in WordPress < 1.5.1."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of WordPress installed on the remote host is affected by multiple vulnerabilities : - The application is affected by a SQL injection vulnerability because it fails to properly sanitize user-supplied input passed via the 'tb_id' parameter to the 'wp-trackback.php' script before using it in database queries. This could lead to disclosure of sensitive information or attacks against the underlying database. (CVE-2005-1687) - The application contains an information disclosure flaw in which paths can be exposed in error messages after direct requests to files in '/wp-content/themes/', '/wp-includes', and '/wp-admin/'. (CVE-2005-1688) - The application is affected by multiple cross-site scripting vulnerabilities. An attacker can pass arbitrary HTML and script code through the 's' parameter of the 'wp-admin/edit.php' script or the 'p' parameter in the 'wp-admin/post.php' script, thereby facilitating cross-site scripting attacks. Note that these attacks will only be successful against administrators since the scripts themselves are limited to administrators."); script_set_attribute(attribute:"see_also", value:"https://wordpress.org/news/2005/05/one-five-one/"); script_set_attribute(attribute:"solution", value:"Upgrade to WordPress version 1.5.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/19"); script_set_attribute(attribute:"patch_publication_date", value:"2005/05/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencie("wordpress_detect.nasl"); script_require_keys("installed_sw/WordPress", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "WordPress"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port ); dir = install['path']; ver = install['version']; install_url = build_url(port:port, qs:dir); # Try a SQL injection. # nb: this should lead to a syntax error. postdata = "tb_id=-99'" + SCRIPT_NAME + "&" + "url=https://wordpress.org/news/2005/05/one-five-one/&" + "title=" + SCRIPT_NAME + "&" + "blog_name=Nessus"; w = http_send_recv3(method: "POST", port:port, item: dir + "/wp-trackback.php", data: postdata, exit_on_fail: TRUE); res = w[2]; # There's a problem if we see a database error with the plugin's name. if ( "<p class='wpdberror'>" >< res && "FROM wp_posts WHERE ID = -99'" + SCRIPT_NAME >< res ) { set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); security_hole(port); exit(0); } # Alert on the version number in case magic_quotes was enabled. # Ensure we are running as paranoid if (report_paranoia == 2) { if (ver =~ "^(0\.|1\.([0-4]|5([^0-9.]+|$|\.0)))") { set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + ver + '\n Fixed version : 1.5.1\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } } audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);