WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#20489 closed defect (bug) (invalid)

PCI Compliance/Wordpress SQL Injection Vulnerability

Reported by: txfright Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

Hello,

SecurityMetrics is failing my site because there is an SQL injection vulnerability.

Here is a recent email from SecurityMetrics:


The website http://www.texasfrightmareweekend.com/ currently has several SQL injection and Cross Site Scripting vulnerabilities that are flagging. I was able to validate that user input is not being sanitized. If you go to this link:

http://www.texasfrightmareweekend.com/weirdpress/?s=%3E%3Cscript%3Ealert%28%27123%27%29%3C%2Fscript%3E

You can see that I was able to inject a script command into the search field of the page and the server responded by creating the alert box.

In order to resolve these issues the website will need to be sanitizing all user input, including the URL itself. This means that any special characters that are entered by a user are dynamically changed by the website or create an error.

Once you have been able to sanitize the site we need to run a new scan to reflect those changes. You are able to start a new scan at any time from your account summary page by using the 'run' button, or if you prefer we are happy to start a scan at your request.

If you have any questions please let us know. Our support staff is available 24 hours a day at 801.705.5700, or you are welcome to reply to this email.


Is there a fix for this?

Change History (3)

#1 @scribu
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

The fix is to use the_search_query() instead of echo get_query_var('s') in your theme. You can see an example in the bundled Twentyeleven theme.

#2 @scribu
10 years ago

Also, please post in the support forums next time: http://wordpress.org/support/

#3 @nacin
10 years ago

Or get_search_query(), if you do not want to echo it directly. (And rather than get_query_var('s'), you may also be using $s. Also unsafe.)

Also, that's just cross-site scripting at that point, there's no SQL injection here.

Note: See TracTickets for help on using tickets.