WordPress SQL column truncation vulnerability

imagensecforcepost.png

This vulnerability has been published some days ago where an attacker could create a duplicated “admin” user and recover the legitimate “admin” password. SQL column truncation is an attacking technique whereby an attacker take advance of some kind of mismatch between an application and the database structure used by it.

Let’s have a look to the vulnerable code.

In schema.php in the Wordpress application it is defined the creation of the database table containing users:

CREATE TABLE $wpdb->users (
ID bigint(20) unsigned NOT NULL auto_increment,
user_login varchar(60) NOT NULL default '',

As we can see, the user_login field has a length of 60 bytes. However, the application does not enforce this limitation and allows longer usernames.

An attacker could create a user called “admin[55 spaces]X”. The last “X” is character 61 and therefore will be ignored by the database.

Later in the code, we can see that the user_login field is trim()ed and all the spaces are removed, so it becomes “admin”:

<?php 
if ( strstr($_POST['user_login'], '@') ) {
$user_data = get_user_by_email(trim($_POST['user_login']));
if ( empty($user_data) )
$errors->add('invalid_email', __('<strong>ERROR</strong>: There is no user registered with that email address.'));
} else {
$login = trim($_POST['user_login']);
$user_data = get_userdatabylogin($login);
?>

In summary, this is a very creative vulnerability and an interesting vector of attack.

[1]: http://irk4z.wordpress.com/2008/09/14/sql-column-truncation-vulnerability/

You may also be interested in...

imagensecforcepost.png
Oct. 29, 2019

Ajenti 2 Remote Code Execution (CVE-2018-1000082)

Doing code reviews and application tests is a normal part of life at SECFORCE, and as a part of my security research a few days ago I turned my attention towards the open-source project Ajenti, a server control panel similar to webmin.

See more
imagensecforcepost.png
Dec. 5, 2012

Bring your own device (BYOD) security challenges

BYOD is a business policy which encourages employees to bring their personal devices (laptops, tablets, mobile phones) to the corporate environment and perform business tasks with them.

See more