[wp-trac] Re: [WordPress Trac] #4690: Wordpress options.php SQL
Injection Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Tue Jul 31 22:11:18 GMT 2007
#4690: Wordpress options.php SQL Injection Vulnerability
-------------------------------------+--------------------------------------
Reporter: BenjaminFlesch | Owner: Nazgul
Type: defect | Status: assigned
Priority: high | Milestone: 2.3 (trunk)
Component: Security | Version: 2.2.1
Severity: major | Resolution:
Keywords: has-patch needs-testing |
-------------------------------------+--------------------------------------
Comment (by BenjaminFlesch):
Okay I know, but XSS flaws are existing everywhere and this can be used
for persistant XSS. Append
' OR '"><script>alert(1)</script>'='"><script>alert(1)</script> to the
page_options value in one of the options files (e.g. options-privacy.php)
via WebDeveloper Toolbar and submit. Then, visit /options.php which dumps
the whole database without output validation -> Persistant XSS flaws.
Plus the step from XSS (Client/Webpage manipulation) to SQLInjection
(Database Manipulation) is taken. This makes attacks like adding users
much easier because the take less time the authenticated Admin needs to
stay on the attacker's page.
--beni
--
Ticket URL: <http://trac.wordpress.org/ticket/4690#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list