WordPress is a widely used blogging tool that has a huge array of nifty features even in the default installation. If that is not enough then there are thousands of interesting, useful and quirky plugins that can be used to enhance it. It is one of the most prevalent blogging tools on the Internet, with millions of installations maintained by individuals and corporations and is the preferred choice of many webhosting companies. I use it myself on Larholm.com, which is why it saddens me to now see it riddled with holes.

The pluggable.php source file in the wp-includes directory has a number of SQL injection vulnerabilities. The first to be reported today was from line 294

$cookie = explode(‘; ‘, urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie']));

The reason why this is bad is because the user and password parts of the cookie is then passed to the wp_login function which calls get_userdatabylogin with the username. Since we can control the contents of the cookie we can control the $userlogin variable inside get_userdatabylogin, which is then used in line 126

if ( !$user = $wpdb->get_row(“SELECT * FROM $wpdb->users WHERE user_login = ‘$user_login’”) )

The wp_login function is called with our arbitrary input in several places which provide multiple attack vectors, from the get_currentuserinfo, auth_redirect and check_ajax_referer functions.

It’s simple enough to fix while we wait for an official upgrade from WordPress, just add $user_login = mysql_real_escape_string($user_login); before the SQL query. A far safer solution would be to bind all of the SQL input through prepared statements and specific input types.

The sad thing is that there are other potential SQL injection vulnerabilities in the WordPress code. And while the rest of you are looking for those I am chilling with ascii` on IRC looking through the WordPress mailer code which seems to have a direct command execution vulnerability :)