[wp-hackers] sql injection protected included?

Tom Barrett tcbarrett at gmail.com
Wed Feb 29 07:54:01 UTC 2012 

On 29 February 2012 01:20, Mika A Epstein <ipstenu at ipstenu.org> wrote:

> Showing... Kind of.
>
> I mean there's http://codex.wordpress.org/Security_FAQ but I don't think
> that's what you're looking for. You're thinking like a MS level of
> vulnerability disclosures, right?
>

Yes, that's the gist of it. Something in between a single line saying to
email plugins and a full on MSRC web site.

And then before that, at the development stage, are there procedures,
techniques, e.t.c. that (the core team) use when creating new versions that
show how they attempt to tackle issues pre-emptively.

Hope I've expressed that clearly.


>
> On 28 Feb 2012, at 4:25:49PM, Tom Barrett wrote:
>
> > Apologies for going off topic, but are there resources showing ( possibly
> > demonstrably) how wordpress tackles and reacts to security issues?
> >
> > It must be a common issue for companies that use open source resources,
> > relying heavily on the community to make sure application development and
> > incident reporting is handled appropriately?
> >
> > Eg i might feel comfortable contributing to fix a php or wordpress issue,
> > but i am completely dependent on ubuntu to handle that for my servers.
> >
> > //Tom
> > Sent on Android
> > On Feb 28, 2012 9:04 PM, "Bjorn Wijers" <burobjorn at gmail.com> wrote:
> >
> >> I apologize for not contacting the mentioned addresses, I wasn't sure if
> >> the plugin was indeed insecure or if I was just seeing ghosts. In the
> >> future I will contact the mentioned addresses even if I'm not 100% sure.
> >>
> >> Thanks for your quick reply and action!
> >>
> >> grtz
> >> BjornW
> >>
> >> Yes, that is an SQL injection and it is exploitable. The plugin has
> >>> been closed, the author will be contacted.
> >>>
> >>> In the future, please don't make security issues like this public
> >>> immediately. Contact plugins at wordpress.org or security at wordpress.org
> >>> first.
> >>>
> >>> -Otto
> >>>
> >>>
> >>>
> >>> On Tue, Feb 28, 2012 at 11:52 AM, Bjorn Wijers<burobjorn at gmail.com>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I was looking at this plugin's file[1] and I was a bit surprised
> about it
> >>>> not using wpdb->prepare() for escaping user input in db queries.
> >>>>
> >>>> I've tried to abuse this (proving this plugin contains a mistake and
> fix
> >>>> it), but failed.
> >>>>
> >>>> It seems that WordPress is using it's own version of magic_quotes()
> >>>> called
> >>>> wp_magic_quotes() in wp-includes/load.php to actively prevent single
> >>>> quotes
> >>>> from being used in the wpdb->query()? Btw I'm sure magic_quotes() is
> off
> >>>> in
> >>>> my php.ini (although I do use the Suhosin Path). I'm using PHP 5.3.5.
> >>>>
> >>>> So why bother with wpdb->prepare() or any other higher level escape
> >>>> functions if WordPress is already (partially?) taken care of this?
> >>>>
> >>>> Just wondering, if some other people could have a look at this and
> >>>> perhaps
> >>>> enlighten me on sql injection protection and best practices (for
> >>>> WordPress
> >>>> plugins) given that I was under the impression one should always
> escape
> >>>> user
> >>>> input.
> >>>>
> >>>> [1] http://plugins.svn.wordpress.**org/i-like-this/trunk/like.php<
> http://plugins.svn.wordpress.org/i-like-this/trunk/like.php>
> >>>>
> >>>> Thanks in advance,
> >>>>
> >>>> Grtz
> >>>> BjornW
> >>>> ______________________________**_________________
> >>>> wp-hackers mailing list
> >>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.automattic.com/mailman/listinfo/wp-hackers>
> >>>>
> >>> ______________________________**_________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.automattic.com/mailman/listinfo/wp-hackers>
> >>>
> >>> ______________________________**_________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> >> http://lists.automattic.com/**mailman/listinfo/wp-hackers<
> http://lists.automattic.com/mailman/listinfo/wp-hackers>
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
http://www.tcbarrett.com | http://gplus.to/tcbarrett |
http://twitter.com/tcbarrett

More information about the wp-hackers mailing list