[wp-hackers] Re: Another 'WP + SQL injection' post

Ryan Boren ryan at boren.nu
Thu Oct 20 21:20:48 GMT 2005


On Thu, 2005-10-20 at 14:07 -0500, Robert Deaton wrote:
> magic_quotes doesn't apply here, this isn't from any superglobal. The
> WP-Developers rely on their own magic_quotes type filtering of the
> post and get superglobals for the rest of the code however (you can
> view this in wp-settings.php).
> 
> I brought this issue up with Matt at the IRC meetup yesterday, so
> hopefully we can get this fixed completely for 1.6, the whole
> wp-mail.php should be getting a lot of love.

http://trac.wordpress.org/changeset/2960

That needs to be tested.  If you use wp-mail, try it out.

Ryan

> On 10/20/05, Jon Bourne <jon at akbourne.com> wrote:
> > I stumbled across this yesterday on a local test WP install. I figured that
> > for some reason, WP developers--who know more than me about PHP--thought it
> > best to rely of magic quotes for wp-mail.php to function properly. I even
> > searched trac to see whether it had been filed, but didn't report it because
> > I assumed it was somehow my fault.
> >
> > I fixed the problem on my installation simply by adding addslashes() around
> > both the content and subject variables. I don't know whether there are other
> > fields that need to be escaped, but that has seemed to work for me.
> >
> > Oh, and by the way, hi, everyone. I'm new here, but have been silently
> > 'listening' for a couple months.
> >
> >
> > Jon Bourne
> > jon at akbourne.com
> > Personal site: akbourne.com
> > Personal business: verticentricity.com
> > Job where I actually make money: newsminer.com
> >  On Wed, 19 Oct 2005 17:21:19 +0100, Podz wrote:
> >
> > Date: Wed, 19 Oct 2005 17:21:19 +0100
> > From: Podz <podz at tamba2.org.uk>
> > Subject: [wp-hackers] Another 'WP + SQL injection' post
> > To: hackers <wp-hackers at lists.automattic.com>
> > Message-ID: <4356727F.4010304 at tamba2.org.uk>
> > Content-Type: text/plain; charset=UTF-8; format=flowed
> >
> > "Okay, this is a major concern for anyone with 'posting by email enabled'.
> > The warned you that giving out your address is a problem because other
> > people can post to your blog. That isn't all there is.
> > In at least my current version of wordpress (1.5.2), the wp-mail.php
> > page does not sanatize the input received and this leaves your database
> > open the sql insertion.
> > Because the layout of the database is easily discovered as a wordpress
> > data base, hackers could add themselves, remove you, or perform any
> > other data base function.
> >
> > Also, this has the unfortunate side effect of preventing emails
> > containing certain punctuation from being put into the data base(think
> > quotations) and thuse never getting out of your pop3 box until you
> > delete them.
> >
> > If this hasn't already been addressed in more recent versions, it needs
> > to be. "
> >
> > http://wordpress.org/support/topic/47321
> >
> > Would someone mind squashing this in the forums please ?
> >
> > P.
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> >
> >
> 
> 
> --
> --Robert Deaton
> http://somethingunpredictable.com
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list