Opened 12 years ago
Closed 12 years ago
#21359 closed defect (bug) (invalid)
htmlspecialchars() in wp-db.php is a small vulnerability
Reported by: | planetzuda | Owned by: | planetzuda |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | minor | Version: | 3.4.1 |
Component: | Database | Keywords: | |
Focuses: | Cc: |
Description
Hey,
I was working with wp-db.php when I noticed htmlspecialchars is being used where htmlentities should be used. I know this is very minor, but I've fixed sites that have been hacked due to the misuse of htmlspecialchars. I reccomend changing htmlspecialchars to htmlentities when the site bails with an error. I've already fixed it on my install, so I'd be happy to upload the fixed file.
Attachments (1)
Change History (4)
#2
@
12 years ago
Hi there. When you created this ticket, you might have seen:
Do not report potential security vulnerabilities here. Read the Security FAQ and email us at security@….
Regardless, this isn't accurate. htmlspecialchars() is not only safe in this instance, but this also isn't exploitable — this error is only going to happen based on what is in your wp-config.php file for DB credentials (meaning, someone has file/PHP access) or is able to set up your config with wp-admin/setup-config.php (which means you have a blank install just sitting around). We consider both to be a non-starter when it comes to considering what is a "vulnerability".
There's no difference between htmlspecialchars() and htmlentities() (when the same parameters are used) from a security standpoint.
Wp-db.php with htmlentities() instead of htmlspecialchars()