WordPress Charset SQL Injection Vulnerability

Details are emerging about a new vulnerability in WordPress. An unpatched flaw in WordPress may lead to SQL injection.

It was recently discovered that the search function within WordPress fails to properly sanitize input based on different character sets. Input passed to the "s" parameter in index.php (when "exact" and "sentence" are set to "1") is not properly sanitized before being used in SQL queries.

The currently known character sets which are exploitable include Big5 and GBK. Additional character sets may also be exploitable.

Alone this attack can result in exposure of all database content without the need to authenticate. However, if combined with other exploits (previous WordPress exploits such as cookie authentication vulnerability), any remote user can obtain WordPress admin privilege.

Exploit code for this vulnerability has been publicly released.

While currently unpatched, workarounds do exist.

More information can be found below.

abelcheung.org advisory:
http://www.abelcheung.org/advisory/20071210-wordpress-charset.txt

CVE-2007-6318 (candidate):
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6318

Secunia advisory:
http://secunia.com/advisories/28005

ISS X-force'sadvisory:
http://xforce.iss.net/xforce/xfdb/38959

BugTraq:
http://permalink.gmane.org/gmane.comp.security.bugtraq/34196

Posted by Nathan Heck on December 14, 2007, in Handlers Log.