VRDA Feed by JPCERT/CC
  Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis
[ about VRDA Feed | JPCERT/CC



 
Vulnerability Analysis Result (Revision No : 1) [ Download XML
CVE-2010-4257
wordpress: SQL injection vulnerability in the do_trackbacks fu...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4257

Original

SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field.

Translation   (Show)





About This Analysis Information
Analysis Information Provider:
NIST NVD
First Published:
2010-12-07
Source Information Category:
Advisory, Alert
Last Updated:
2010-12-08




Affected Product Tags
cpe:/a:wordpress:wordpress
cpe:/a:wordpress:wordpress:0.6.2
cpe:/a:wordpress:wordpress:0.6.2.1
cpe:/a:wordpress:wordpress:0.6.2.1:beta_2
cpe:/a:wordpress:wordpress:0.6.2:beta_2
cpe:/a:wordpress:wordpress:0.7
cpe:/a:wordpress:wordpress:0.71
cpe:/a:wordpress:wordpress:0.71-gold
cpe:/a:wordpress:wordpress:0.711
cpe:/a:wordpress:wordpress:0.71::gold
cpe:/a:wordpress:wordpress:0.72
cpe:/a:wordpress:wordpress:0.72:::beta1
cpe:/a:wordpress:wordpress:0.72:::rc1
cpe:/a:wordpress:wordpress:0.72:beta1
cpe:/a:wordpress:wordpress:0.72:beta2
cpe:/a:wordpress:wordpress:0.72:rc1
cpe:/a:wordpress:wordpress:1.0
cpe:/a:wordpress:wordpress:1.0-platinum
cpe:/a:wordpress:wordpress:1.0.1
cpe:/a:wordpress:wordpress:1.0.1-miles
cpe:/a:wordpress:wordpress:1.0.1::miles
cpe:/a:wordpress:wordpress:1.0.1:rc1
cpe:/a:wordpress:wordpress:1.0.2
cpe:/a:wordpress:wordpress:1.0.2-blakey
cpe:/a:wordpress:wordpress:1.0.2::blakey
cpe:/a:wordpress:wordpress:1.0::platinum
cpe:/a:wordpress:wordpress:1.0:rc1
cpe:/a:wordpress:wordpress:1.0:rc2
cpe:/a:wordpress:wordpress:1.0:rc3
cpe:/a:wordpress:wordpress:1.0:rc4
cpe:/a:wordpress:wordpress:1.2
cpe:/a:wordpress:wordpress:1.2-delta
cpe:/a:wordpress:wordpress:1.2-mingus
cpe:/a:wordpress:wordpress:1.2.1
cpe:/a:wordpress:wordpress:1.2.2
cpe:/a:wordpress:wordpress:1.2::mingus
cpe:/a:wordpress:wordpress:1.2:beta
cpe:/a:wordpress:wordpress:1.2:delta
cpe:/a:wordpress:wordpress:1.2:rc1
cpe:/a:wordpress:wordpress:1.2:rc2
cpe:/a:wordpress:wordpress:1.3.1
cpe:/a:wordpress:wordpress:1.4
cpe:/a:wordpress:wordpress:1.5
cpe:/a:wordpress:wordpress:1.5-strayhorn
cpe:/a:wordpress:wordpress:1.5.1
cpe:/a:wordpress:wordpress:1.5.1.1
cpe:/a:wordpress:wordpress:1.5.1.2
cpe:/a:wordpress:wordpress:1.5.1.3
cpe:/a:wordpress:wordpress:1.5.2
cpe:/a:wordpress:wordpress:1.5::strayhorn
cpe:/a:wordpress:wordpress:1.6
cpe:/a:wordpress:wordpress:2.0
cpe:/a:wordpress:wordpress:2.0.1
cpe:/a:wordpress:wordpress:2.0.10
cpe:/a:wordpress:wordpress:2.0.10:rc1
cpe:/a:wordpress:wordpress:2.0.10:rc2
cpe:/a:wordpress:wordpress:2.0.10:rc3
cpe:/a:wordpress:wordpress:2.0.10_rc1
cpe:/a:wordpress:wordpress:2.0.10_rc2
cpe:/a:wordpress:wordpress:2.0.11
cpe:/a:wordpress:wordpress:2.0.11:rc1
cpe:/a:wordpress:wordpress:2.0.11:rc2
cpe:/a:wordpress:wordpress:2.0.11:rc3
cpe:/a:wordpress:wordpress:2.0.1:rc1
cpe:/a:wordpress:wordpress:2.0.2
cpe:/a:wordpress:wordpress:2.0.3
cpe:/a:wordpress:wordpress:2.0.4
cpe:/a:wordpress:wordpress:2.0.5
cpe:/a:wordpress:wordpress:2.0.5:beta
cpe:/a:wordpress:wordpress:2.0.5:rc1
cpe:/a:wordpress:wordpress:2.0.6
cpe:/a:wordpress:wordpress:2.0.6:beta
cpe:/a:wordpress:wordpress:2.0.6:rc1
cpe:/a:wordpress:wordpress:2.0.7
cpe:/a:wordpress:wordpress:2.0.7:rc1
cpe:/a:wordpress:wordpress:2.0.7:rc2
cpe:/a:wordpress:wordpress:2.0.8
cpe:/a:wordpress:wordpress:2.0.8:rc1
cpe:/a:wordpress:wordpress:2.0.9
cpe:/a:wordpress:wordpress:2.0.9:beta
cpe:/a:wordpress:wordpress:2.0.9rc1
cpe:/a:wordpress:wordpress:2.1
cpe:/a:wordpress:wordpress:2.1.1
cpe:/a:wordpress:wordpress:2.1.1:rc1
cpe:/a:wordpress:wordpress:2.1.1beta
cpe:/a:wordpress:wordpress:2.1.2
cpe:/a:wordpress:wordpress:2.1.3
cpe:/a:wordpress:wordpress:2.1.3:rc1
cpe:/a:wordpress:wordpress:2.1.3:rc2
cpe:/a:wordpress:wordpress:2.1.3:rc3
cpe:/a:wordpress:wordpress:2.1.3_rc1
cpe:/a:wordpress:wordpress:2.1.3_rc2
cpe:/a:wordpress:wordpress:2.1:alpha_3
cpe:/a:wordpress:wordpress:2.1:beta1
cpe:/a:wordpress:wordpress:2.1:beta2
cpe:/a:wordpress:wordpress:2.1:beta3
cpe:/a:wordpress:wordpress:2.1:beta4
cpe:/a:wordpress:wordpress:2.1:rc1
cpe:/a:wordpress:wordpress:2.1:rc2
cpe:/a:wordpress:wordpress:2.2
cpe:/a:wordpress:wordpress:2.2.0
cpe:/a:wordpress:wordpress:2.2.1
cpe:/a:wordpress:wordpress:2.2.2
cpe:/a:wordpress:wordpress:2.2.3
cpe:/a:wordpress:wordpress:2.2::revision5002
cpe:/a:wordpress:wordpress:2.2::revision5003
cpe:/a:wordpress:wordpress:2.2:rc1
cpe:/a:wordpress:wordpress:2.2:rc2
cpe:/a:wordpress:wordpress:2.2_revision5002
cpe:/a:wordpress:wordpress:2.2_revision5003
cpe:/a:wordpress:wordpress:2.3
cpe:/a:wordpress:wordpress:2.3.1
cpe:/a:wordpress:wordpress:2.3.1:beta1
cpe:/a:wordpress:wordpress:2.3.1:rc1
cpe:/a:wordpress:wordpress:2.3.2
cpe:/a:wordpress:wordpress:2.3.2:beta
cpe:/a:wordpress:wordpress:2.3.2:beta2
cpe:/a:wordpress:wordpress:2.3.2:beta3
cpe:/a:wordpress:wordpress:2.3.2:rc1
cpe:/a:wordpress:wordpress:2.3.3
cpe:/a:wordpress:wordpress:2.3:beta1
cpe:/a:wordpress:wordpress:2.3:beta2
cpe:/a:wordpress:wordpress:2.3:beta3
cpe:/a:wordpress:wordpress:2.3:rc1
cpe:/a:wordpress:wordpress:2.5
cpe:/a:wordpress:wordpress:2.5.1
cpe:/a:wordpress:wordpress:2.5:rc1
cpe:/a:wordpress:wordpress:2.5:rc2
cpe:/a:wordpress:wordpress:2.5:rc3
cpe:/a:wordpress:wordpress:2.6
cpe:/a:wordpress:wordpress:2.6.1
cpe:/a:wordpress:wordpress:2.6.1:beta1
cpe:/a:wordpress:wordpress:2.6.1:beta2
cpe:/a:wordpress:wordpress:2.6.2
cpe:/a:wordpress:wordpress:2.6.3
cpe:/a:wordpress:wordpress:2.6.5
cpe:/a:wordpress:wordpress:2.6:beta1
cpe:/a:wordpress:wordpress:2.6:beta2
cpe:/a:wordpress:wordpress:2.6:beta3
cpe:/a:wordpress:wordpress:2.6:rc1
cpe:/a:wordpress:wordpress:2.7
cpe:/a:wordpress:wordpress:2.7.1
cpe:/a:wordpress:wordpress:2.7.1:beta1
cpe:/a:wordpress:wordpress:2.7.1:rc1
cpe:/a:wordpress:wordpress:2.7.1:rc1::iis
cpe:/a:wordpress:wordpress:2.7:::coltrane
cpe:/a:wordpress:wordpress:2.7:beta1
cpe:/a:wordpress:wordpress:2.7:beta2
cpe:/a:wordpress:wordpress:2.7:beta3
cpe:/a:wordpress:wordpress:2.7:rc1
cpe:/a:wordpress:wordpress:2.7:rc2
cpe:/a:wordpress:wordpress:2.8
cpe:/a:wordpress:wordpress:2.8.1
cpe:/a:wordpress:wordpress:2.8.1:beta1
cpe:/a:wordpress:wordpress:2.8.1:beta2
cpe:/a:wordpress:wordpress:2.8.1:jazzes_themes_and_widgets
cpe:/a:wordpress:wordpress:2.8.1:rc1
cpe:/a:wordpress:wordpress:2.8.2
cpe:/a:wordpress:wordpress:2.8.2::iis
cpe:/a:wordpress:wordpress:2.8.3
cpe:/a:wordpress:wordpress:2.8.4
cpe:/a:wordpress:wordpress:2.8.4::iis
cpe:/a:wordpress:wordpress:2.8.4:a:iis
cpe:/a:wordpress:wordpress:2.8.4:b:iis
cpe:/a:wordpress:wordpress:2.8.5
cpe:/a:wordpress:wordpress:2.8.5:beta1
cpe:/a:wordpress:wordpress:2.8::iis
cpe:/a:wordpress:wordpress:2.8:beta1
cpe:/a:wordpress:wordpress:2.8:beta2
cpe:/a:wordpress:wordpress:2.8:rc1
cpe:/a:wordpress:wordpress:2.9
cpe:/a:wordpress:wordpress:2.9.1
cpe:/a:wordpress:wordpress:2.9.1:beta1
cpe:/a:wordpress:wordpress:2.9.1:rc1
cpe:/a:wordpress:wordpress:2.9.2
cpe:/a:wordpress:wordpress:3.0
cpe:/a:wordpress:wordpress:3.0.1 and previous versions
 


Vulnerability Analysis Results
[Access Vector]  [?]
Undefined [?]

Local [?]
Adjacent Network [?]
X Network [?]
[Access Complexit]  [?]
Undefined [?]

High [?]
X Medium [?]
Low [?]
[Authentication]  [?]
Undefined [?]

Multiple [?]
X Single [?]
None [?]
[Confidentiality Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Integrity Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Availability Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
Alternatives




References
CONFIRM http://wordpress.org/news/2010/11/wordpress-3-0-2/




CONFIRM http://core.trac.wordpress.org/changeset/16625




CONFIRM http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605603




CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=659265




CONFIRM http://codex.wordpress.org/Version_3.0.2




MISC http://blog.sjinks.pro/wordpress/858-information-disclosure-via-sql-injection-attack/




MISC http://www.xakep.ru/magazine/xa/124/052/1.asp




SECUNIA 42431




Vulnerability Type SQL Injection (CWE-89)




Copyright © 2010 JPCERT/CC All Rights Reserved.