[wp-hackers] 1.5.2 SQL Injection
darryl at vandorp.ca
Fri Mar 10 14:39:47 GMT 2006
Can somene answer definitively does this affect versions prior to wordpress
2.0? The 2.0.2 release announcement seems vague.
On 3/6/06, Podz <podz at tamba2.org.uk> wrote:
> Patrik Karlsson reported that WordPress 1.5.2 makes use of an
> insufficiently filtered User Agent string in SQL queries related to
> comments posting. This vulnerability was already fixed in the 2.0-series
> of WordPress.
> An attacker could send a comment with a malicious User Agent parameter,
> resulting in SQL injection and potentially in the subversion of the
> WordPress database. This vulnerability wouldn't affect WordPress sites
> which do not allow comments or which require that comments go through a
> Reported in the forums:
> There are a lot of people still using 1.5.2
> Can this be patched so an upgrade does not have to be the response ?
> An announcement is also called for surely ?
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers