[wp-trac] Re: [WordPress Trac] #4690: Wordpress options.php SQL Injection Vulnerability

WordPress Trac wp-trac at lists.automattic.com
Tue Jul 31 22:11:18 GMT 2007


#4690: Wordpress options.php SQL Injection Vulnerability
-------------------------------------+--------------------------------------
 Reporter:  BenjaminFlesch           |        Owner:  Nazgul     
     Type:  defect                   |       Status:  assigned   
 Priority:  high                     |    Milestone:  2.3 (trunk)
Component:  Security                 |      Version:  2.2.1      
 Severity:  major                    |   Resolution:             
 Keywords:  has-patch needs-testing  |  
-------------------------------------+--------------------------------------
Comment (by BenjaminFlesch):

 Okay I know, but XSS flaws are existing everywhere and this can be used
 for persistant XSS. Append
 ' OR '"><script>alert(1)</script>'='"><script>alert(1)</script> to the
 page_options value in one of the options files (e.g. options-privacy.php)
 via WebDeveloper Toolbar and submit. Then, visit /options.php which dumps
 the whole database without output validation -> Persistant XSS flaws.
 Plus the step from XSS (Client/Webpage manipulation) to SQLInjection
 (Database Manipulation) is taken. This makes attacks like adding users
 much easier because the take less time the authenticated Admin needs to
 stay on the attacker's page.
 --beni

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4690#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list