WordPress.org

Make WordPress Core

Opened 16 years ago

Closed 15 years ago

#2758 closed defect (bug) (fixed)

Security issue: cat parameter is vunerable to sql injection

Reported by: pcdinh Owned by:
Milestone: 2.1 Priority: highest omg bbq
Severity: critical Version: 2.0.2
Component: Security Keywords: sql injection, cat parameter
Focuses: Cc:

Description

To get the content of a specific category I can request the following url:

http://www.path.com/wordpress/?cat=3

But when I try to send a request to http://www.path.com/wordpress/?cat=. and unexpected error returns

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DES' at line 1]
SELECT DISTINCT wp_posts.* FROM wp_posts LEFT JOIN wp_post2cat ON (wp_posts.ID = wp_post2cat.post_id) WHERE 1=1 AND category_id IN (.) AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DESC LIMIT 0, 10

What does WHERE 1=1 AND category_id IN (.) mean here?

So I think that we should check cat parameter against int value to prevent Wordpress from returning such errors.

Applicable to WP 2.0.2 and WP 2.1 alpha1

Thanks

Change History (4)

#1 @pcdinh
16 years ago

  • Component changed from Administration to Security

My solution: In wp-includes/query.php, before $qcat? = .urldecode($qcat?).; I add:

$qcat? = intval($qcat?);

Thanks

#3 @ryan
16 years ago

[3824] fixes trunk. Doesn't seem to be a problem in 2.0.2.

#4 @matt
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.