Yay, Another WordPress Vulnerability
A WordPress 2.2 vulnerability was posted on milw0rm recently, which allows SQL injection via xmlrpc.php.
Here is the vulnerable function
function wp_suggestCategories($args) { global $wpdb; $this->escape($args); $blog_id = (int) $args[0]; $username = $args[1]; $password = $args[2]; $category = $args[3]; $max_results = $args[4]; if(!$this->login_pass_ok($username, $password)) { return($this->error); } // Only set a limit if one was provided. $limit = ""; if(!empty($max_results)) { $limit = "LIMIT {$max_results}"; } $category_suggestions = $wpdb->get_results(" SELECT cat_ID category_id, cat_name category_name FROM {$wpdb->categories} WHERE cat_name LIKE '{$category}%' {$limit} "); return($category_suggestions); }
Namely this part
if(!empty($max_results)) { $limit = "LIMIT {$max_results}"; }
Way to not censor or check if the variable is valid. That's some pretty poor programming practices right there.
It took the whole of 2 seconds to fix it.
if(!empty($max_results) && is_int($max_results)) { $limit = "LIMIT {$max_results}"; }
This was fixed in the trac by typecasting the variable to an int. Whatever. Both ways work.
$max_results = (int) $args[4];
The issue was posted in the trac on May 28, and instead of issuing an update or informing people, nothing has been mentioned. Just let it get disclosed, have people try to exploit.
It does, however, not look to be too bad. You have to know the user's username and password to exploit it, though I'm not sure what user level is need for this (I was too lazy to get the exploit working without C#). If it's subscriber, shit. If it's anything other than admin, it's still not very good.