[wp-trac] [WordPress Trac] #2758: Security issue: cat parameter is
vunerable to sql injection
WordPress Trac
wp-trac at lists.automattic.com
Thu Jun 1 07:09:21 GMT 2006
#2758: Security issue: cat parameter is vunerable to sql injection
----------------------------+-----------------------------------------------
Id: 2758 | Status: new
Component: Administration | Modified: Thu Jun 1 07:09:21 2006
Severity: critical | Milestone: 2.1
Priority: highest | Version: 2.0.2
Owner: anonymous | Reporter: pcdinh
----------------------------+-----------------------------------------------
To get the content of a specific category I can request the following url:
http://www.path.com/wordpress/?cat=3
But when I try to send a request to http://www.path.com/wordpress/?cat=.
and unexpected error returns
WordPress database error: [You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax
to use near ') AND (post_type = 'post' AND (post_status = 'publish'))
ORDER BY post_date DES' at line 1]
SELECT DISTINCT wp_posts.* FROM wp_posts LEFT JOIN wp_post2cat ON
(wp_posts.ID = wp_post2cat.post_id) WHERE 1=1 AND category_id IN (.) AND
(post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DESC
LIMIT 0, 10
What does WHERE 1=1 AND category_id IN (.) mean here?
So I think that we should check cat parameter against int value to prevent
Wordpress from returning such errors.
Applicable to WP 2.0.2 and WP 2.1 alpha1
Thanks
--
Ticket URL: <http://trac.wordpress.org/ticket/2758>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list