[wp-hackers] sql injection protected included?
Tom Barrett
tcbarrett at gmail.com
Tue Feb 28 22:25:49 UTC 2012
Apologies for going off topic, but are there resources showing ( possibly
demonstrably) how wordpress tackles and reacts to security issues?
It must be a common issue for companies that use open source resources,
relying heavily on the community to make sure application development and
incident reporting is handled appropriately?
Eg i might feel comfortable contributing to fix a php or wordpress issue,
but i am completely dependent on ubuntu to handle that for my servers.
//Tom
Sent on Android
On Feb 28, 2012 9:04 PM, "Bjorn Wijers" <burobjorn at gmail.com> wrote:
> I apologize for not contacting the mentioned addresses, I wasn't sure if
> the plugin was indeed insecure or if I was just seeing ghosts. In the
> future I will contact the mentioned addresses even if I'm not 100% sure.
>
> Thanks for your quick reply and action!
>
> grtz
> BjornW
>
> Yes, that is an SQL injection and it is exploitable. The plugin has
>> been closed, the author will be contacted.
>>
>> In the future, please don't make security issues like this public
>> immediately. Contact plugins at wordpress.org or security at wordpress.org
>> first.
>>
>> -Otto
>>
>>
>>
>> On Tue, Feb 28, 2012 at 11:52 AM, Bjorn Wijers<burobjorn at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I was looking at this plugin's file[1] and I was a bit surprised about it
>>> not using wpdb->prepare() for escaping user input in db queries.
>>>
>>> I've tried to abuse this (proving this plugin contains a mistake and fix
>>> it), but failed.
>>>
>>> It seems that WordPress is using it's own version of magic_quotes()
>>> called
>>> wp_magic_quotes() in wp-includes/load.php to actively prevent single
>>> quotes
>>> from being used in the wpdb->query()? Btw I'm sure magic_quotes() is off
>>> in
>>> my php.ini (although I do use the Suhosin Path). I'm using PHP 5.3.5.
>>>
>>> So why bother with wpdb->prepare() or any other higher level escape
>>> functions if WordPress is already (partially?) taken care of this?
>>>
>>> Just wondering, if some other people could have a look at this and
>>> perhaps
>>> enlighten me on sql injection protection and best practices (for
>>> WordPress
>>> plugins) given that I was under the impression one should always escape
>>> user
>>> input.
>>>
>>> [1] http://plugins.svn.wordpress.**org/i-like-this/trunk/like.php<http://plugins.svn.wordpress.org/i-like-this/trunk/like.php>
>>>
>>> Thanks in advance,
>>>
>>> Grtz
>>> BjornW
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>
>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>
>> ______________________________**_________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>
More information about the wp-hackers
mailing list