[wp-hackers] Re: Another 'WP + SQL injection' post

Robert Deaton false.hopes at gmail.com
Thu Oct 20 19:07:22 GMT 2005

magic_quotes doesn't apply here, this isn't from any superglobal. The
WP-Developers rely on their own magic_quotes type filtering of the
post and get superglobals for the rest of the code however (you can
view this in wp-settings.php).

I brought this issue up with Matt at the IRC meetup yesterday, so
hopefully we can get this fixed completely for 1.6, the whole
wp-mail.php should be getting a lot of love.

On 10/20/05, Jon Bourne <jon at akbourne.com> wrote:
> I stumbled across this yesterday on a local test WP install. I figured that
> for some reason, WP developers--who know more than me about PHP--thought it
> best to rely of magic quotes for wp-mail.php to function properly. I even
> searched trac to see whether it had been filed, but didn't report it because
> I assumed it was somehow my fault.
> I fixed the problem on my installation simply by adding addslashes() around
> both the content and subject variables. I don't know whether there are other
> fields that need to be escaped, but that has seemed to work for me.
> Oh, and by the way, hi, everyone. I'm new here, but have been silently
> 'listening' for a couple months.
> Jon Bourne
> jon at akbourne.com
> Personal site: akbourne.com
> Personal business: verticentricity.com
> Job where I actually make money: newsminer.com
>  On Wed, 19 Oct 2005 17:21:19 +0100, Podz wrote:
> Date: Wed, 19 Oct 2005 17:21:19 +0100
> From: Podz <podz at tamba2.org.uk>
> Subject: [wp-hackers] Another 'WP + SQL injection' post
> To: hackers <wp-hackers at lists.automattic.com>
> Message-ID: <4356727F.4010304 at tamba2.org.uk>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> "Okay, this is a major concern for anyone with 'posting by email enabled'.
> The warned you that giving out your address is a problem because other
> people can post to your blog. That isn't all there is.
> In at least my current version of wordpress (1.5.2), the wp-mail.php
> page does not sanatize the input received and this leaves your database
> open the sql insertion.
> Because the layout of the database is easily discovered as a wordpress
> data base, hackers could add themselves, remove you, or perform any
> other data base function.
> Also, this has the unfortunate side effect of preventing emails
> containing certain punctuation from being put into the data base(think
> quotations) and thuse never getting out of your pop3 box until you
> delete them.
> If this hasn't already been addressed in more recent versions, it needs
> to be. "
> http://wordpress.org/support/topic/47321
> Would someone mind squashing this in the forums please ?
> P.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--Robert Deaton

More information about the wp-hackers mailing list