[wp-trac] [WordPress Trac] #20489: PCI Compliance/Wordpress SQL Injection Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Thu Apr 19 15:34:33 UTC 2012
#20489: PCI Compliance/Wordpress SQL Injection Vulnerability
--------------------------+-----------------------------
Reporter: txfright | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
--------------------------+-----------------------------
Hello,
SecurityMetrics is failing my site because there is an SQL injection
vulnerability.
Here is a recent email from SecurityMetrics:
----
The website http://www.texasfrightmareweekend.com/ currently has several
SQL injection and Cross Site Scripting vulnerabilities that are flagging.
I was able to validate that user input is not being sanitized. If you go
to this link:
http://www.texasfrightmareweekend.com/weirdpress/?s=%3E%3Cscript%3Ealert%28%27123%27%29%3C%2Fscript%3E
You can see that I was able to inject a script command into the search
field of the page and the server responded by creating the alert box.
In order to resolve these issues the website will need to be sanitizing
all user input, including the URL itself. This means that any special
characters that are entered by a user are dynamically changed by the
website or create an error.
Once you have been able to sanitize the site we need to run a new scan to
reflect those changes. You are able to start a new scan at any time from
your account summary page by using the 'run' button, or if you prefer we
are happy to start a scan at your request.
If you have any questions please let us know. Our support staff is
available 24 hours a day at 801.705.5700, or you are welcome to reply to
this email.
----
Is there a fix for this?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/20489>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list