Opened 20 years ago
Closed 20 years ago
#2758 closed defect (bug) (fixed)
Security issue: cat parameter is vunerable to sql injection
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 2.1 | Priority: | highest omg bbq |
| Severity: | critical | Version: | 2.0.2 |
| Component: | Security | Keywords: | sql injection, cat parameter |
| Focuses: | Cc: |
Description
To get the content of a specific category I can request the following url:
http://www.path.com/wordpress/?cat=3
But when I try to send a request to http://www.path.com/wordpress/?cat=. and unexpected error returns
WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DES' at line 1]
SELECT DISTINCT wp_posts.* FROM wp_posts LEFT JOIN wp_post2cat ON (wp_posts.ID = wp_post2cat.post_id) WHERE 1=1 AND category_id IN (.) AND (post_type = 'post' AND (post_status = 'publish')) ORDER BY post_date DESC LIMIT 0, 10
What does WHERE 1=1 AND category_id IN (.) mean here?
So I think that we should check cat parameter against int value to prevent Wordpress from returning such errors.
Applicable to WP 2.0.2 and WP 2.1 alpha1
Thanks
My solution: In wp-includes/query.php, before $qcat? = .urldecode($qcat?).; I add:
$qcat? = intval($qcat?);
Thanks