It seems that Wordpress continues to miss essential checks in the source code. This time the bug is NOT critical as this.

An example URL was released in Bugtraq this morning, but the idea is that there are no checks if the “paged” parameter in the URL has a positive or negative value.

You can try the injection on Wordpress 2.0.3 requesting http://www.yourblog.com/?paged=-1

Browsing my access_log, I have to make a remark - “www.yourblog.com”, doesn’t mean “www.cafe-sofia.com” :-) I’ve patched mine with the method below :)

With the default settings of the installation you will see something like this: WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-20, 10' at line 1]
SELECT DISTINCT * FROM _posts WHERE 1=1 AND post_date_gmt <= '2006-09-07 15:33:59' AND (post_status = "publish" OR post_author = 1 AND post_status != 'draft' AND post_status != 'static') AND post_status != "attachment" GROUP BY _posts.ID ORDER BY post_date DESC LIMIT -20, 10

The good news is that there is a check in the code if the “paged” param is integer (passing other symbols may cause SEVERE injection).

If you don’t want your blog to output errors. just modify the file ‘wp-db.php’ line 113 and change the line from "$this->show_errors = true" to "$this->show_errors = false"