[wp-hackers] SQL injection signaled but no info about it.. fake
or thruth?
Otto
otto at ottodestruct.com
Wed Apr 16 12:08:49 GMT 2008
I looked through the comments code myself and didn't see the escaping, so I
sent a email off to security and Ryan responded back to me pointing out this
code in wp-settings.php:
// Escape with wpdb.
$_GET = add_magic_quotes($_GET );
$_POST = add_magic_quotes($_POST );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);
Everything that comes in there should be escaped by those functions. So I
can't find an exploit through the comments door.
On Wed, Apr 16, 2008 at 12:53 AM, Stefano Aglietti <steagl4ml at gmail.com>
wrote:
> http://www.securityfocus.com/bid/28703/info
>
> Talks about a possibile SQL injection exploit in comment form, there
> is no info neither example of the bug.
>
> SHould be trye? In this case 2.5.1 need to be released immediatly if
> not maybe some official words will help cause you know how the net
> like to talk bad about WP if there is a chanche to do :)
>
> --
>
> Stefano Aglietti - StallonIt on IRCnet - ICQ#: 2078431
> Email: steve at 40annibuttati.it steagl at people.it
> Sites: http://www.40annibuttati.it (personal blog)
> http://www.wordpress-it.it (WordPress Italia)
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list