[wp-hackers] sql injection protected included?

Mika A Epstein ipstenu at ipstenu.org
Wed Feb 29 01:20:28 UTC 2012


Showing... Kind of.

I mean there's http://codex.wordpress.org/Security_FAQ but I don't think that's what you're looking for. You're thinking like a MS level of vulnerability disclosures, right?

On 28 Feb 2012, at 4:25:49PM, Tom Barrett wrote:

> Apologies for going off topic, but are there resources showing ( possibly
> demonstrably) how wordpress tackles and reacts to security issues?
> 
> It must be a common issue for companies that use open source resources,
> relying heavily on the community to make sure application development and
> incident reporting is handled appropriately?
> 
> Eg i might feel comfortable contributing to fix a php or wordpress issue,
> but i am completely dependent on ubuntu to handle that for my servers.
> 
> //Tom
> Sent on Android
> On Feb 28, 2012 9:04 PM, "Bjorn Wijers" <burobjorn at gmail.com> wrote:
> 
>> I apologize for not contacting the mentioned addresses, I wasn't sure if
>> the plugin was indeed insecure or if I was just seeing ghosts. In the
>> future I will contact the mentioned addresses even if I'm not 100% sure.
>> 
>> Thanks for your quick reply and action!
>> 
>> grtz
>> BjornW
>> 
>> Yes, that is an SQL injection and it is exploitable. The plugin has
>>> been closed, the author will be contacted.
>>> 
>>> In the future, please don't make security issues like this public
>>> immediately. Contact plugins at wordpress.org or security at wordpress.org
>>> first.
>>> 
>>> -Otto
>>> 
>>> 
>>> 
>>> On Tue, Feb 28, 2012 at 11:52 AM, Bjorn Wijers<burobjorn at gmail.com>
>>> wrote:
>>> 
>>>> Hi,
>>>> 
>>>> I was looking at this plugin's file[1] and I was a bit surprised about it
>>>> not using wpdb->prepare() for escaping user input in db queries.
>>>> 
>>>> I've tried to abuse this (proving this plugin contains a mistake and fix
>>>> it), but failed.
>>>> 
>>>> It seems that WordPress is using it's own version of magic_quotes()
>>>> called
>>>> wp_magic_quotes() in wp-includes/load.php to actively prevent single
>>>> quotes
>>>> from being used in the wpdb->query()? Btw I'm sure magic_quotes() is off
>>>> in
>>>> my php.ini (although I do use the Suhosin Path). I'm using PHP 5.3.5.
>>>> 
>>>> So why bother with wpdb->prepare() or any other higher level escape
>>>> functions if WordPress is already (partially?) taken care of this?
>>>> 
>>>> Just wondering, if some other people could have a look at this and
>>>> perhaps
>>>> enlighten me on sql injection protection and best practices (for
>>>> WordPress
>>>> plugins) given that I was under the impression one should always escape
>>>> user
>>>> input.
>>>> 
>>>> [1] http://plugins.svn.wordpress.**org/i-like-this/trunk/like.php<http://plugins.svn.wordpress.org/i-like-this/trunk/like.php>
>>>> 
>>>> Thanks in advance,
>>>> 
>>>> Grtz
>>>> BjornW
>>>> ______________________________**_________________
>>>> wp-hackers mailing list
>>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>>> 
>>> ______________________________**_________________
>>> wp-hackers mailing list
>>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>>> 
>>> ______________________________**_________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.**com <wp-hackers at lists.automattic.com>
>> http://lists.automattic.com/**mailman/listinfo/wp-hackers<http://lists.automattic.com/mailman/listinfo/wp-hackers>
>> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list