CVE-2007-0107

Sažetak

WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.

Reference

http://osvdb.org/31579
http://secunia.com/advisories/23595
http://secunia.com/advisories/23741
http://security.gentoo.org/glsa/glsa-200701-10.xml
http://securityreason.com/securityalert/2112
http://wordpress.org/development/2007/01/wordpress-206/
http://www.hardened-php.net/advisory_022007.141.html
http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.005.html
http://www.securityfocus.com/archive/1/456049/100/0/threaded
http://www.securityfocus.com/bid/21907
http://www.vupen.com/english/advisories/2007/0061
https://exchange.xforce.ibmcloud.com/vulnerabilities/31297

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

16-10-2018 - 16:31

Objavljeno

09-01-2007 - 00:28