[wp-trac] [WordPress Trac] #10841: admin-ajax.php SQL INJECTION!!

WordPress Trac wp-trac at lists.automattic.com
Tue Nov 3 08:39:51 UTC 2009


#10841: admin-ajax.php SQL INJECTION!!
-----------------------------+----------------------------------------------
 Reporter:  ulgaming         |       Owner:  westi        
     Type:  defect (bug)     |      Status:  assigned     
 Priority:  highest omg bbq  |   Milestone:  2.9          
Component:  Security         |     Version:  2.8.4        
 Severity:  blocker          |    Keywords:  sql injection
-----------------------------+----------------------------------------------

Comment(by hakre):

 Things which might be helpfull: Start admin, get the list of hooks
 regsitered for admin-ajax, review the code for places where wpdb is used.
 WPDB must use the prepare (not the escape) member to properly escape
 values.

 Is it possible for the reporter to have 2.8.5 run and test wether this
 still applies or not?

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/10841#comment:>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list