[wp-hackers] WordPress Charset SQL Injection Vulnerability
Lloyd Budd
lloydomattic at gmail.com
Sat Dec 15 18:27:01 GMT 2007
On Dec 15, 2007 5:25 AM, Abel Cheung <abelcheung at gmail.com> wrote:
> On Dec 11, 2007 12:57 PM, DD32 <wordpress at dd32.id.au> wrote:
> > It also needs to know your table prefix.
>
> Unsure why I failed to reply this sooner. Getting table prefix is so
> trivial for newer wordpress:
>
> /?feed=rss2&p=-1
>
> Abel
As trivial as? This is a bit of an annoying way to present a software
bug. Anyway, thank you very much for letting us know about this!
http://trac.wordpress.org/ticket/5471
?feed=rss2&p=-1 results in db error, showing sql query (table prefixes)
The whole WordPress community really appreciate your help in
uncovering these issues. Are there other issues you know about that
you can share at this time?
(Assuming you haven't emailed security at wordpress.org and are giving
them an opportunity to fix the issue prior to public disclosure.)
Thanks again,
Lloyd
More information about the wp-hackers
mailing list