[wp-hackers] sql injection protected included?

Bjorn Wijers burobjorn at gmail.com
Tue Feb 28 21:04:42 UTC 2012


I apologize for not contacting the mentioned addresses, I wasn't sure if 
the plugin was indeed insecure or if I was just seeing ghosts. In the 
future I will contact the mentioned addresses even if I'm not 100% sure.

Thanks for your quick reply and action!

grtz
BjornW

> Yes, that is an SQL injection and it is exploitable. The plugin has
> been closed, the author will be contacted.
>
> In the future, please don't make security issues like this public
> immediately. Contact plugins at wordpress.org or security at wordpress.org
> first.
>
> -Otto
>
>
>
> On Tue, Feb 28, 2012 at 11:52 AM, Bjorn Wijers<burobjorn at gmail.com>  wrote:
>> Hi,
>>
>> I was looking at this plugin's file[1] and I was a bit surprised about it
>> not using wpdb->prepare() for escaping user input in db queries.
>>
>> I've tried to abuse this (proving this plugin contains a mistake and fix
>> it), but failed.
>>
>> It seems that WordPress is using it's own version of magic_quotes() called
>> wp_magic_quotes() in wp-includes/load.php to actively prevent single quotes
>> from being used in the wpdb->query()? Btw I'm sure magic_quotes() is off in
>> my php.ini (although I do use the Suhosin Path). I'm using PHP 5.3.5.
>>
>> So why bother with wpdb->prepare() or any other higher level escape
>> functions if WordPress is already (partially?) taken care of this?
>>
>> Just wondering, if some other people could have a look at this and perhaps
>> enlighten me on sql injection protection and best practices (for WordPress
>> plugins) given that I was under the impression one should always escape user
>> input.
>>
>> [1] http://plugins.svn.wordpress.org/i-like-this/trunk/like.php
>>
>> Thanks in advance,
>>
>> Grtz
>> BjornW
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list