Re: Re: WordPress Search Function SQL-Injection
well actually there's no sql injection in the wordpress search module. i think it's important to mention this .. this is a simple error sql . and by the way it works with : +too ;) regards laurent gaffiƩ
Re: WordPress Search Function SQL-Injection
Justin Frydman - Thinkweb Media wrote: > Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then? i have the same feeling tested on multiple wp instances and can't reproduce on >= 2.0.1 <= 2.0.7 regards, Francesco 'ascii' Ongaro http://www.ush.it/
Re: WordPress Search Function SQL-Injection
This looks like the bug described here: http://trac.wordpress.org/ticket/3722 "DB error when sanitized search string results in empty query" (Filed January 31) According to that page: > I guess it's also worth mentioning that commas > _are_ being sanitized. The reason for the error is > that once the commas are gone WordPress attempts > to wrap the search query with "AND ( $search )" > > Since $search is null MySQL throws up an error. The same error results from searching for just a space. In either case, adding other characters to the field results in the expected query. It doesn't look like injection would be possible.
Re: WordPress Search Function SQL-Injection
Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then? On Tue, 27 Feb 2007 21:39:55 +0100 (CET), SaMuschie <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > +--- - -- - > | SaMuschie Research Labs proudly presents . . . > +--- -- - - > | Application: wordpress > | Version: <= 2.1.1 > | Vuln./Exploit Type: SQL-Injection > | Status: 0day > +- -- - - > | Discovered by: Samenspender > | Released: 20070227 > | SaMuschie Release Number: 2 > +--- - -- - > > Searching for a single ,,comma,, generates a sql error message. > > e.g.: > > http://wordpress-deutschland.org/?s=, > > results in: > > "WordPress Datenbank-Fehler: [You have an error in your SQL syntax; > check the > manual that corresponds to your MySQL server version for the right syntax > to > use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER > BY > post_date DE' at line 1] > SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND > () > AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date > DESC > LIMIT 0, 10" > > +- -- - > | Lameness Disclaimer > +- - -- - - > | SaMuschie Research Labs was found to publish > | vulnerabilities within well known software products, > | which are easy to discover and exploit. > | > | SaMuschie researchers just spend a minimum of time > | and knowledge for each vulnerability. Hence readers of > | this advisory are requested not to ask any questions > | to the researchers they don't know the answer ;) > +-- - -- - - > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8 > ZfylSi7g8HINHkpBYzYgUqE= > =fBdH > -END PGP SIGNATURE---
WordPress Search Function SQL-Injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 +--- - -- - | SaMuschie Research Labs proudly presents . . . +--- -- - - | Application: wordpress | Version: <= 2.1.1 | Vuln./Exploit Type: SQL-Injection | Status: 0day +- -- - - | Discovered by: Samenspender | Released: 20070227 | SaMuschie Release Number: 2 +--- - -- - Searching for a single ,,comma,, generates a sql error message. e.g.: http://wordpress-deutschland.org/?s=, results in: "WordPress Datenbank-Fehler: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DE' at line 1] SELECT SQL_CALC_FOUND_ROWS wpdorg_posts.* FROM wpdorg_posts WHERE 1=1 AND () AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DESC LIMIT 0, 10" +- -- - | Lameness Disclaimer +- - -- - - | SaMuschie Research Labs was found to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers they don't know the answer ;) +-- - -- - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5GSdMFgfGpQK8VERAvOWAJwLms5H6b4So3tO19lc3eHMGeNvLwCdHAP8 ZfylSi7g8HINHkpBYzYgUqE= =fBdH -END PGP SIGNATURE- ___ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
