[wp-trac] [WordPress Trac] #2758: Security issue: cat parameter is vunerable to sql injection

WordPress Trac wp-trac at lists.automattic.com
Thu Jun 1 07:09:21 GMT 2006


#2758: Security issue: cat parameter is vunerable to sql injection
----------------------------+-----------------------------------------------
       Id:  2758            |      Status:  new                     
Component:  Administration  |    Modified:  Thu Jun  1 07:09:21 2006
 Severity:  critical        |   Milestone:  2.1                     
 Priority:  highest         |     Version:  2.0.2                   
    Owner:  anonymous       |    Reporter:  pcdinh                  
----------------------------+-----------------------------------------------
 To get the content of a specific category I can request the following url:

 http://www.path.com/wordpress/?cat=3

 But when I try to send a request to http://www.path.com/wordpress/?cat=.
 and unexpected error returns



 WordPress database error: [You have an error in your SQL syntax; check the
 manual that corresponds to your MySQL server version for the right syntax
 to use near ') AND (post_type = 'post' AND (post_status = 'publish'))
 ORDER BY post_date DES' at line 1]
 SELECT DISTINCT wp_posts.* FROM wp_posts LEFT JOIN wp_post2cat ON
 (wp_posts.ID = wp_post2cat.post_id) WHERE 1=1 AND category_id IN (.) AND
 (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DESC
 LIMIT 0, 10


 What does WHERE 1=1 AND category_id IN (.) mean here?

 So I think that we should check cat parameter against int value to prevent
 Wordpress from returning such errors.

 Applicable to WP 2.0.2 and WP 2.1 alpha1

 Thanks

-- 
Ticket URL: <http://trac.wordpress.org/ticket/2758>
WordPress Trac <http://wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list