Vulnerabilities > CVE-2007-0107 - SQL Injection vulnerability in WordPress Charset Decoding
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. Successful exploitation requires that the "mbstring" extension be enabled. This vulnerability is addressed in the following product release: WordPress, WordPress, 2.0.6
Vulnerable Configurations
Exploit-Db
| description | Wordpress 2.0.5 Trackback UTF-7 Remote SQL Injection Exploit. CVE-2007-0107. Webapps exploit for php platform |
| id | EDB-ID:3095 |
| last seen | 2016-01-31 |
| modified | 2007-01-07 |
| published | 2007-01-07 |
| reporter | Stefan Esser |
| source | https://www.exploit-db.com/download/3095/ |
| title | WordPress 2.0.5 - Trackback UTF-7 - Remote SQL Injection Exploit |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200701-10.NASL description The remote host is affected by the vulnerability described in GLSA-200701-10 (WordPress: Multiple vulnerabilities) When decoding trackbacks with alternate character sets, WordPress does not correctly sanitize the entries before further modifying a SQL query. WordPress also displays different error messages in wp-login.php based upon whether or not a user exists. David Kierznowski has discovered that WordPress fails to properly sanitize recent file information in /wp-admin/templates.php before sending that information to a browser. Impact : An attacker could inject arbitrary SQL into WordPress database queries. An attacker could also determine if a WordPress user existed by trying to login as that user, better facilitating brute-force attacks. Lastly, an attacker authenticated to view the administrative section of a WordPress instance could try to edit a file with a malicious filename; this may cause arbitrary HTML or JavaScript to be executed in users last seen 2020-06-01 modified 2020-06-02 plugin id 24208 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24208 title GLSA-200701-10 : WordPress: Multiple vulnerabilities NASL family CGI abuses NASL id WORDPRESS_TRACKBACK_CHARSET_SQL_INJECTION.NASL description The version of WordPress on the remote host supports trackbacks in alternate character sets and decodes them after escaping SQL parameters. By specifying an alternate character set and encoding input with that character set while submitting a trackback, an unauthenticated, remote attacker can bypass the application last seen 2020-06-01 modified 2020-06-02 plugin id 24011 published 2007-01-12 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24011 title WordPress Trackback Charset Decoding SQL Injection
References
- http://osvdb.org/31579
- http://secunia.com/advisories/23595
- http://secunia.com/advisories/23741
- http://security.gentoo.org/glsa/glsa-200701-10.xml
- http://securityreason.com/securityalert/2112
- http://wordpress.org/development/2007/01/wordpress-206/
- http://www.hardened-php.net/advisory_022007.141.html
- http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.005.html
- http://www.securityfocus.com/archive/1/456049/100/0/threaded
- http://www.securityfocus.com/bid/21907
- http://www.vupen.com/english/advisories/2007/0061
- https://exchange.xforce.ibmcloud.com/vulnerabilities/31297