Package: wordpress Version: 2.0.6-1 Severity: important Tags: security Affected system: WordPress =>2.0.6
Discovered a weakness in WordPress, which can be exploited by malicious people to disclose SQL information and Wordpress Full Path. The problem is that SQL error messages are returned to the user. This can be exploited to disclose the configured table prefix via an invalid "m" parameter passed in index.php. Example: http://[host]/index.php?m[]= You will see return information like this: Warning: rawurlencode() expects parameter 1 to be string, array given in [path]\wp-includes\classes.php on line 227 WordPress 数据库错误: [Unknown column 'Arra' in 'where clause'] SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND YEAR (post_date)=Arra AND (post_type = 'post' AND (post_status = 'publish' OR post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10 Solution: Edit the source use is_array() function to Inspection Var "$m" Reference: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0262 http://www.securityfocus.com/archive/1/archive/1/456731/100/0/threaded Note: Please mention the CVE id in the changelog. -- System Information: Debian Release: 4.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-486 Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) regards, -- .''`. : :' : Alex de Oliveira Silva | enerv `. `' www.enerv.net `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
