Archive for December 2007

昨天才知道，如果在火車站入閘後在同一個站出來，扣的錢不再是最短車程的價錢（以往好像是 HK$3.2 左右），而是整整十元！比出九龍還要貴，黐線！下次要醒目些了，隨便找個附近的站坐，然後再坐回程車，還要便宜一點。非常之屈機啊。

As promised in previous post (in Chinese, sorry), here is the full advisory of WordPress SQL injection vulnerability I have mentioned. Excerpt below:

It is found that the search function provided within WordPress fails to sanitize input based on different character sets. So if WordPress tries to query MySQL database using certain specific character sets, WordPress search function is exploitable using charset-based SQL injection.

Currently known character sets exploitable include: Big5, GBK, GB18030. All of them may use backslash (’\') as part of multibyte character. WordPress with MySQL database created any other character sets fulfilling such property may also be exploitable.

Executing this attack alone results in exposure of all database content on web interface without need of authentication. However, if combined with other exploits (such as cookie authentication vulnerability disclosed earlier), any remote user can obtain WordPress admin privilege, resulting in server compromise.

Actually, I have long been suspecting this is exploitable, though the real effort to verify such claim doesn’t occur before a few days ago. Given the security track record of WordPress, such thing is entirely within expectation.

Chinese sites which are stubborn enough to continue using Big5 or GBK encoding in database are in jeopardy; but otherwise most sites should be rather safe from this exploit (as most should be using UTF-8). Neither is latin1 character set vulnerable (as used in most earlier default WordPress installation). But in contrary to common belief, it looks like mysql_real_escape_string() doesn’t fix the problem at all. Anybody can confirm or deny this?

2007-12-10 20:55 update: GB18030 is not vulnerable. MySQL 5.0.x doesn’t support this character set at all, don’t know about 5.1 series.

我大概會在短時間內將這個貼上 full-disclosure 和 bugtraq：

想知道圖中那個 e10adc3949ba59abbe56e057f20f883e 作表甚麼嗎？拿這個數字去 www.xmd5.net 查一查，就知道我架設這個測試用的 WordPress 時使用甚麼密碼了。

單從這個漏洞本身來看，最多只能將整個資料庫的內容顯示出來；但如果配合別的漏洞一起，就天下無敵了。例如最近發表的一個 WordPress cookie 漏洞 (適用於 1.5 - 2.3.1)，能夠隨意成為 WordPress 的 admin，但先決條件是能夠讀取 admin 的名稱和密碼，從而合成 admin login 所需的 cookie。我找出來那個漏洞剛好可以不用直接存取資料庫而取出 admin 的名稱密碼，正是那個 cookie 漏洞必須和充分的條件。

不過大家應該不用太擔心，我找出來的漏洞的先決條件很苛刻，大部份的人應該都不會中招；但如果有哪位是使用 Big5, GBK, GB2312 等作為資料庫的 charset，那麼是時候考慮 migrate 至 UTF-8 了。

順帶一提，如果哪個打算建議我先知會 Automattic 的人，那麼可以省下這口氣了。有不少的安全漏洞的 advisory 他們都不于理會，直至有公開的 exploit 方會處理，我對此已到達厭惡的程度。