WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#11779 closed defect (bug) (fixed)

ms-edit.php creates garbage data for anything that is potentially affected by addslashes() and is on the whole completely unsanitized

Reported by: Denis-de-Bernardy Owned by: ryan
Milestone: 3.0 Priority: normal
Severity: critical Version: 3.0
Component: Security Keywords:
Focuses: multisite Cc:

Description

in addition to not getting the handy strip_slashes_deep(), we have a completely unsanitized query:

		// update blogs table
		$result = $wpdb->query( "UPDATE {$wpdb->blogs} SET
				domain       = '".$_POST[ 'blog' ][ 'domain' ]."',
				path         = '".$_POST[ 'blog' ][ 'path' ]."',
				registered   = '".$_POST[ 'blog' ][ 'registered' ]."',
				public       = '".$_POST[ 'blog' ][ 'public' ]."',
				archived     = '".$_POST[ 'blog' ][ 'archived' ]."',
				mature       = '".$_POST[ 'blog' ][ 'mature' ]."',
				deleted      = '".$_POST[ 'blog' ][ 'deleted' ]."',
				spam         = '".$_POST[ 'blog' ][ 'spam' ]."'
			WHERE  blog_id = '$id'" );

Change History (7)

comment:1 @Denis-de-Bernardy6 years ago

  • Summary changed from SQL injection is possible in ms-edit.php? to SQL injection would be possible in ms-edit.php if it weren't for magic quotes

comment:2 @nacin6 years ago

  • Keywords multisite added

Denis:
Ryan has blessed a new keyword 'multisite' for when we opt for a component other than Multisite on a ticket. I'm going to start adding it, can you possibly create a report that highlights all Multisite keyword/component tickets?

comment:3 @Denis-de-Bernardy6 years ago

See also #11774, #11775, #11776, #11777, #11778...

Basically, in this file, anything that can potentially be changed by addslashes/stripslashes can lead to bugs and problems. The function that is noted in #11771 is a completely incorrect means to fix this.

Re report: will do.

comment:4 @Denis-de-Bernardy6 years ago

  • Summary changed from SQL injection would be possible in ms-edit.php if it weren't for magic quotes to ms-edit.php creates garbage data for anything that can potentially contain a slash and is on the whole completely unsanitized

comment:5 @Denis-de-Bernardy6 years ago

  • Summary changed from ms-edit.php creates garbage data for anything that can potentially contain a slash and is on the whole completely unsanitized to ms-edit.php creates garbage data for anything that is potentially affected by addslashes() and is on the whole completely unsanitized

comment:6 @dd325 years ago

Looks like this was removed along the way as expected with the cleanup? Denis, can you confirm?

comment:7 @nacin5 years ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.