Jump to content

Wordpress "admin-ajax.php" Sql Injection

Recommended Posts

From: Secunia (http://secunia.com/advisories/25345/)

Rating: Moderately critical



Janek Vind has discovered a vulnerability in WordPress, which can be exploited by malicious people to conduct SQL injection attacks.


Input passed to the "cookie" parameter in wp-admin/admin-ajax.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.


Successful exploitation allows e.g. retrieving administrator password hashes, but requires knowledge of the database table prefix.


The vulnerability is confirmed in version 2.1.3. Prior versions may also be affected.



Update to version 2.2.


Wordpress 2.2 was released on May 16. For those who missed the announcement, please click here.

Link to comment
Share on other sites

But where they aren't clear is whether prior versions of the 2.1.x code line could be affected, or whether prior versions of 2.0.x code line might be affected as well.

Link to comment
Share on other sites

Does TC have any control over the Fantastico on here? I mean I just installed WP via Fantastico to play with it and I am aware it is out of date but many people just install stuff from Fantastico and don't bother to check if it's the latest version or even check for updates in the future.

Link to comment
Share on other sites

I was thinking more of TC adding a notice on the Fantastico page saying that the scripts offered are possibly out of date and that the person installing should check for updates once the script has been installed as it is easier to update than to install from scratch.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...