[wp-hackers] SQL injection

Otto otto at ottodestruct.com
Wed Dec 5 19:02:04 GMT 2007

I can bring up an SQL error in 2.3 when I use an invalid post ID
number, but I can do that without any of the extra crap.
http://example.com/blog/?feed=rss2&p=1 (where 1 is not a valid post ID
number) gives an SQL error because the comments feed is trying to get
comments for the first post in the returned post array. Since there
isn't any returned post, it errors out with invalid SQL.

But I can't get p=whatever to inject into the post ID field. What's
more, you wouldn't expect to do so, because the p parameter is forced
to an int. query.php line 449: $qv['p'] =  (int) $qv['p'];

I can't see any way for this to work. All his extra added code there
gets removed before it uses it in any SQL.

On 12/5/07, James Davis <james at freecharity.org.uk> wrote:
> Andre SC wrote:
> > http://www.securityfocus.com/archive/1/484608/30/0/threaded
> I can't replicate that but there's a sniff of a grain of truth about it.
> I can bring up an SQL error in 2.3 using similar code but I can't
> replicate it using trunk.
> James
> --
> FreeCharity.org.uk - Free hosting for charities and non-profits
> WordPress and Blogging Consultancy       -      (01348) 800101
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list