Abel Cheung has discovered yet another vulnerability in WordPress.
It is found that the search function provided within WordPress fails to
sanitize input based on different character sets. So if WordPress tries
to query MySQL database using certain specific character sets, WordPress
search function is exploitable using charset-based SQL injection.
Currently known character sets exploitable include Big5 and GBK (see your wp-config.php, as this will mainly affect Chinese blogs). All of them may use backslash (’') as part of multibyte character. WordPress with MySQL database created any other character sets fulfilling such property may also be exploitable.
Workaround: This vulnerability only exists for database queries performed
using certain character sets. For databases created in most other
character sets no remedy is needed.
- a. It is recommended to convert WordPress database to use character sets not vulnerable to such SQL exploit. One such charset is UTF-8, which does not use backslash (’') as part of character and it supports various languages.
- b. Alternatively, edit WordPress theme to remove search capability.
The full advisory is available here.
Thanks to Abel for keeping us in the loop, and great find.