#2769 closed defect (bug) (fixed)
Non-integer provided as page_id reveals a bug on pages list
Reported by: | pcdinh | Owned by: | markjaquith |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 2.1 |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description
I work with Wordpress 2.1 alpha1 build 2/6/2006 and find that if I send a request like this
http://path/wordpress/?page_id=,
or
http://192.168.1.104/php/wordpress/?page_id=char()
or
http://192.168.1.104/php/wordpress/?page_id=%3Cscript%3E
Live example: http://www.binarymoon.co.uk/?page_id=%22.%22%20or%201%20=%201%22.
I will have a list of all pages following by comments blocks displayed repeatly. It means that page_id is not checked against integer values.
Thanks
pcdinh
Change History (5)
#1
@
18 years ago
- Component changed from Security to General
- Owner changed from anonymous to markjaquith
- Severity changed from critical to major
- Status changed from new to assigned
- Summary changed from Security implication: Sql injection on page_id reveals a bug on pages list to Non-integer provided as page_id reveals a bug on pages list
Note: See
TracTickets for help on using
tickets.
It seems that if page_id is not an integer, it is removed from the query altogether (latest trunk)
No SQL injection potential. Although, blank page_id should probably run a front page query, not a query of all pages!
I'm taking away the "security" marking for this bug, because non-integer data isn't be inserted into the query. In the future, if you thing you've identified a security issue, please send it to security@…