Vulnerabilities > CVE-2005-1687 - Unspecified vulnerability in Wordpress 1.5
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200506-04.NASL description The remote host is affected by the vulnerability described in GLSA-200506-04 (Wordpress: Multiple vulnerabilities) Due to a lack of input validation, WordPress is vulnerable to SQL injection and XSS attacks. Impact : An attacker could use the SQL injection vulnerabilities to gain information from the database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim last seen 2020-06-01 modified 2020-06-02 plugin id 18427 published 2005-06-07 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18427 title GLSA-200506-04 : Wordpress: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200506-04. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(18427); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-1102", "CVE-2005-1687", "CVE-2005-1810"); script_xref(name:"GLSA", value:"200506-04"); script_name(english:"GLSA-200506-04 : Wordpress: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200506-04 (Wordpress: Multiple vulnerabilities) Due to a lack of input validation, WordPress is vulnerable to SQL injection and XSS attacks. Impact : An attacker could use the SQL injection vulnerabilities to gain information from the database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200506-04" ); script_set_attribute( attribute:"solution", value: "All Wordpress users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=www-apps/wordpress-1.5.1.2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:wordpress"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/06/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/06/07"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"www-apps/wordpress", unaffected:make_list("ge 1.5.1.2"), vulnerable:make_list("lt 1.5.1.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Wordpress"); }NASL family CGI abuses NASL id WORDPRESS_151.NASL description The version of WordPress installed on the remote host is affected by multiple vulnerabilities : - The application is affected by a SQL injection vulnerability because it fails to properly sanitize user-supplied input passed via the last seen 2020-06-01 modified 2020-06-02 plugin id 18301 published 2005-05-19 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18301 title WordPress < 1.5.1 Multiple Vulnerabilities code # # Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(18301); script_version("1.18"); script_cvs_date("Date: 2018/08/07 16:46:49"); script_cve_id("CVE-2005-1687", "CVE-2005-1688"); script_bugtraq_id(13655, 13663, 13664); script_name(english:"WordPress < 1.5.1 Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in WordPress < 1.5.1."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of WordPress installed on the remote host is affected by multiple vulnerabilities : - The application is affected by a SQL injection vulnerability because it fails to properly sanitize user-supplied input passed via the 'tb_id' parameter to the 'wp-trackback.php' script before using it in database queries. This could lead to disclosure of sensitive information or attacks against the underlying database. (CVE-2005-1687) - The application contains an information disclosure flaw in which paths can be exposed in error messages after direct requests to files in '/wp-content/themes/', '/wp-includes', and '/wp-admin/'. (CVE-2005-1688) - The application is affected by multiple cross-site scripting vulnerabilities. An attacker can pass arbitrary HTML and script code through the 's' parameter of the 'wp-admin/edit.php' script or the 'p' parameter in the 'wp-admin/post.php' script, thereby facilitating cross-site scripting attacks. Note that these attacks will only be successful against administrators since the scripts themselves are limited to administrators."); script_set_attribute(attribute:"see_also", value:"https://wordpress.org/news/2005/05/one-five-one/"); script_set_attribute(attribute:"solution", value:"Upgrade to WordPress version 1.5.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/19"); script_set_attribute(attribute:"patch_publication_date", value:"2005/05/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/05/19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencie("wordpress_detect.nasl"); script_require_keys("installed_sw/WordPress", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "WordPress"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port ); dir = install['path']; ver = install['version']; install_url = build_url(port:port, qs:dir); # Try a SQL injection. # nb: this should lead to a syntax error. postdata = "tb_id=-99'" + SCRIPT_NAME + "&" + "url=https://wordpress.org/news/2005/05/one-five-one/&" + "title=" + SCRIPT_NAME + "&" + "blog_name=Nessus"; w = http_send_recv3(method: "POST", port:port, item: dir + "/wp-trackback.php", data: postdata, exit_on_fail: TRUE); res = w[2]; # There's a problem if we see a database error with the plugin's name. if ( "<p class='wpdberror'>" >< res && "FROM wp_posts WHERE ID = -99'" + SCRIPT_NAME >< res ) { set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); security_hole(port); exit(0); } # Alert on the version number in case magic_quotes was enabled. # Ensure we are running as paranoid if (report_paranoia == 2) { if (ver =~ "^(0\.|1\.([0-4]|5([^0-9.]+|$|\.0)))") { set_kb_item(name: 'www/'+port+'/XSS', value: TRUE); set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + ver + '\n Fixed version : 1.5.1\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } } audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);