CVE-2007-0262: wordpress: Full Path disclosure and disclosure of Table Prefix Weakness

Related Vulnerabilities: CVE-2007-0262   CVE-2007-0539   CVE-2007-0541  

Debian Bug report logs - #407289
CVE-2007-0262: wordpress: Full Path disclosure and disclosure of Table Prefix Weakness

version graph

Reported by: Alex de Oliveira Silva <enerv@host.sk>

Date: Wed, 17 Jan 2007 12:04:58 UTC

Severity: normal

Tags: security

Found in version wordpress/2.0.6-1

Fixed in versions wordpress/2.0.8-1, wordpress/2.1.1-1

Done: Neil McGovern <neilm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Kai Hendry <hendry@iki.fi>:
Bug#407289; Package wordpress. (full text, mbox, link).


Acknowledgement sent to Alex de Oliveira Silva <enerv@host.sk>:
New Bug report received and forwarded. Copy sent to Kai Hendry <hendry@iki.fi>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alex de Oliveira Silva <enerv@host.sk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2007-0262: wordpress: Full Path disclosure and disclosure of Table Prefix Weakness
Date: Wed, 17 Jan 2007 09:02:29 -0300
Package: wordpress
Version: 2.0.6-1
Severity: important
Tags: security

Affected system:
WordPress =>2.0.6

Discovered a weakness in WordPress, which can be exploited by
malicious people to disclose SQL information and Wordpress Full Path.
The problem is that SQL error messages are returned to the user. This
can be exploited to disclose the configured table prefix via an invalid
"m" parameter passed in index.php.

Example:
http://[host]/index.php?m[]=

You will see return information like this:
Warning: rawurlencode() expects parameter 1 to be string, array given in

[path]\wp-includes\classes.php on line 227

WordPress &#25968;&#25454;&#24211;&#38169;&#35823;: [Unknown column
'Arra' in 'where clause']
SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND YEAR
(post_date)=Arra AND (post_type = 'post' AND (post_status = 'publish' OR
post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10

Solution:
Edit the source use is_array() function to Inspection Var "$m"

Reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0262
http://www.securityfocus.com/archive/1/archive/1/456731/100/0/threaded

Note:
Please mention the CVE id in the changelog.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)



regards,
-- 
   .''`.  
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `- 



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#407289; Package wordpress. (full text, mbox, link).


Message #8 received at 407289@bugs.debian.org (full text, mbox, reply):

From: Kai Hendry <hendry@iki.fi>
To: 407289@bugs.debian.org
Subject: 2.0.7 doesn't close this bug
Date: Fri, 19 Jan 2007 11:42:00 +0000
http://natalian.org/archives/2007/01/17/working-on-wordpress/

Upsteam's Ryan Boren told me there will be a 2.0.8 shortly.

This bug does not seem severe, so I'll be marking it down.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#407289; Package wordpress. (full text, mbox, link).


Message #11 received at 407289@bugs.debian.org (full text, mbox, reply):

From: Kai Hendry <hendry@iki.fi>
To: 407289@bugs.debian.org
Date: Fri, 19 Jan 2007 11:43:51 +0000
severity 407289 normal
bye



Severity set to `normal' from `important' Request was from Kai Hendry <hendry@iki.fi> to control@bugs.debian.org. (full text, mbox, link).


Reply sent to Kai Hendry <hendry@iki.fi>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Alex de Oliveira Silva <enerv@host.sk>:
Bug acknowledged by developer. (full text, mbox, link).


Message #18 received at 407289-done@bugs.debian.org (full text, mbox, reply):

From: Kai Hendry <hendry@iki.fi>
To: 407289-done@bugs.debian.org
Subject: [ryan@boren.nu: Re: Debian security]
Date: Tue, 23 Jan 2007 22:24:04 +0000
Fixed in 2.1, though I am waiting for 2.0.8 for etch that fixes this
bug..

----- Forwarded message from Ryan Boren <ryan@boren.nu> -----

From: Ryan Boren <ryan@boren.nu>
To: Kai Hendry <hendry@iki.fi>
Cc: security@wordpress.org
Subject: Re: Debian security
Date: Tue, 23 Jan 2007 12:55:10 -0800
X-Original-To: hendry@dabase.com
Delivered-To: hendry@spunkymail-mx8.g.dreamhost.com
X-Forwarded-To: hendry@dabase.com
X-Forwarded-For: kai.hendry@gmail.com hendry@dabase.com
Delivered-To: kai.hendry@gmail.com
DomainKey-Status: good (test mode)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth;
        b=T1ENlS4TCFtVNBfktuMv2npwc5QtnsZ9Gu6pGZYI+zabkDQ8N6Pk6sz06s7u9e6Ls5tTiJvsc8Jj653vsKDB+yOLFkM82ot9iPWsLZEh7IQxubDJIzXKcHOmX3iEvLbqgLxq/IV3FghAErYbRnALxSH2P2JwL/yo5C0PVTdvn9Y=
X-Google-Sender-Auth: 770b59121241fc56
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on 
	mail1506.sd.dreamhost.com

On 1/23/07, Kai Hendry <hendry@iki.fi> wrote:
>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407289
>
>Is this bug fixed in 2.1? There are a lot of changes all over the place.

Fixed in 2.1 and will be fixed in 2.0.8.

Ryan


----- End forwarded message -----



Reply sent to Neil McGovern <neilm@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Alex de Oliveira Silva <enerv@host.sk>:
Bug acknowledged by developer. (full text, mbox, link).


Message #23 received at 407289-close@bugs.debian.org (full text, mbox, reply):

From: Neil McGovern <neilm@debian.org>
To: 407289-close@bugs.debian.org
Subject: Bug#407289: fixed in wordpress 2.0.8-1
Date: Mon, 12 Feb 2007 21:32:03 +0000
Source: wordpress
Source-Version: 2.0.8-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive:

wordpress_2.0.8-1.diff.gz
  to pool/main/w/wordpress/wordpress_2.0.8-1.diff.gz
wordpress_2.0.8-1.dsc
  to pool/main/w/wordpress/wordpress_2.0.8-1.dsc
wordpress_2.0.8-1_all.deb
  to pool/main/w/wordpress/wordpress_2.0.8-1_all.deb
wordpress_2.0.8.orig.tar.gz
  to pool/main/w/wordpress/wordpress_2.0.8.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 407289@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Neil McGovern <neilm@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  9 Feb 2007 20:08:26 +0000
Source: wordpress
Binary: wordpress
Architecture: source all
Version: 2.0.8-1
Distribution: testing-security
Urgency: high
Maintainer: Kai Hendry <hendry@iki.fi>
Changed-By: Neil McGovern <neilm@debian.org>
Description: 
 wordpress  - an award winning weblog manager
Closes: 407289
Changes: 
 wordpress (2.0.8-1) testing-security; urgency=high
 .
   [Neil McGovern]
   * Non-maintainer upload by security team.
   * Fixes for CVE-2007-0539 and CVE-2007-0541
   [Kai Hendry]
   * New upstream release
   * Security fix, urgency high for etch
   * 2.0.x currently is the Wordpress *stable* branch
   * CVE-2007-0262: wordpress: Full Path disclosure and disclosure of
     Table Prefix Weakness (Closes: #407289)
Files: 
 11d3437bce9ecef138e16efd04de960a 558 web optional wordpress_2.0.8-1.dsc
 b2f3503fee081233a81f5f4903ec3928 519755 web optional wordpress_2.0.8.orig.tar.gz
 32705e954c58c50adb18c121d78535bf 8790 web optional wordpress_2.0.8-1.diff.gz
 763ec097cef97aec52731369149ba7d3 524840 web optional wordpress_2.0.8-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF0NYs97LBwbNFvdMRAkAnAJ4hMEL2Pq3iH5LUKEVs39MpEKNydgCfYy7A
SIcrs/5GHCnHD5w+w7+KjoQ=
=trVz
-----END PGP SIGNATURE-----




Bug marked as fixed in version 2.1.1-1. Request was from Touko Korpela <tkorpela@phnet.fi> to control@bugs.debian.org. (Mon, 16 Jul 2007 23:21:07 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 14 Aug 2007 07:42:19 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 12:57:35 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.