Make WordPress Core

Opened 18 years ago

Closed 18 years ago

#3126 closed defect (bug) (invalid)

SQL Injection

Reported by: ecko's profile Ecko Owned by:
Milestone: Priority: high
Severity: minor Version: 2.0.4
Component: Security Keywords:
Focuses: Cc:

Description

The following was recently posted on a Security Focus mailing list.

index.php?paged=/archive/-1-5-2-Create%20Table

which will result in the following error output:

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-10, 10' at line 1]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt <= '2006-09-12 21:05:59' AND (post_status = "publish" OR post_author = 1 AND post_status != 'draft' AND post_status != 'static') AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT -10, 10

Is there currently a patch to fix this bug?

Change History (1)

#1 @Nazgul
18 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Next time you reference a mailing list, please include a link to it.
I'm assuming you're talking about this one (Bugtraq): http://www.securityfocus.com/archive/1/445374

It has been discussed both at the support forum (http://wordpress.org/support/topic/86281) and on the wp-hackers mailing list (http://comox.textdrive.com/pipermail/wp-hackers/2006-September/008269.html).
On both locations this has been identified as a non-issue.

Note: See TracTickets for help on using tickets.