As if we needed more evidence that register_globals is bad

For the past few years, PHP security experts have been pounding on the heads of sysadmins to turn off register_globals. While default installs of PHP turn it off, some popular web apps (especially older versions) insist on using it, so some webhost sysadmins will turn it on, presumably to make things go smoothly for their customers. Oops!

CVE-2007-0233, what seems like the 300th Wordpress vulnerability in the last two weeks, reports an sql injection vulnerability in Wordpress 2.0.6 (which was only released 11 days ago). The exploit appears to rely on register_globals being enabled, though:

funkatron@foo > php xpl.php foo.com /wp/

---------------------------------------------------------------------------
Wordpress < = 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index /
/ sql injection admin hash disclosure exploit
(needs register_globals=on, 4 <= PHP < 4.4.3,< 5.1.4)
by rgod
dork: "is proudly powered by WordPress"
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------

pwd hash   ->
admin user ->
exploit failed...

This is a good example of why web app security (and any security, for that matter) must be multilayered: on the hardware level, on the server daemon level, on the language environment level, and on the code level.

So, for the love of god, STOP ENABLING REGISTER_GLOBALS, upgrade to Wordpress 2.0.7, and (shameless plug) use PhpSecInfo to audit your PHP environment. ;)

[tags]php, phpsecinfo, register-globals, sql-injection, wordpress[/tags]