WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#3938 closed defect (bug) (invalid)

Possible SQL injection vuln. Apostrophe in post creates SQL error

Reported by: knowtown Owned by:
Milestone: Priority: high
Severity: critical Version: 2.1.1
Component: Security Keywords: apostrophe sql error
Focuses: Cc:

Description

Hello,
I am not sure if this is the right place to post this but I was referred here after not being able to resolve my issue in the WordPress forums (http://wordpress.org/support/topic/108207?replies=15).

Long story short I upgraded my blog to 2.1.1 and now whenever I type a post that has an apostrophe character I get an error like this:

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's excerpt that is creating error' at line 1]
UPDATE wp_posts SET post_content = 'The complete text of the post displays here. in this post would be the post's excerpt that is creating the error.' WHERE ID = '628'

I had two good suggestions to try. First was to create a new WordPress blog with a clean install into a new directory and a new database, which I did (using Fantastico) and still got the same error. Second was to contact my host provider (Bluehost) to see if there was something wrong in my sql database. My host provider confirmed that my setting were correct.

Then I discovered that when I typed up a post in MS Word and pasted it into WordPress the post would publish with no error. When I cut and paste, the apostrophe appears in the post edit window as a curly quote (like a comma) but when I type directly in the edit window the apostrophe appears as a straight line (like a vertical tick mark). If I am reading previous problems on the forum correctly this is opposite what most people experience. It seems most people have errors when they cut and paste from Word.

Some suggested I try some plugins that disable smart quotes and I did try "quotemark replacer" and "unfancy quote" with no success. I also verified that the problem only happens with apostrophe/single quote and not with double quotes.

I also host a friends blog in a different folder with a different database. That blog has not been upgraded and is not experiencing any of these errors. So it seems that there is something strange in the combination of my server, WordPress 2.1.1 and using the apostrophe character.

The error will appear the very first autosave/save after an apostrophe character is typed. Then when you publish the post it takes you to an error screen. If you exit that screen the post actually does publish so I the overall problem is not a deal breaker but the error is annoying. I sure would love to know if there is a way to resolve it.

If anyone has any thoughts or can point me in new direction I would appreciate it.

Change History (8)

comment:1 follow-up: Linusmartensson7 years ago

  • Resolution set to invalid
  • Status changed from new to closed

As far as I know, 2.1.1 is the Wordpress version that was deemed unsafe, someone managed to add exploitable code to the Wordpress files on the download servers. A critical update to 2.1.2 was released shortly thereafter.
This problem you're having sounds exactly like the exploited code.
I strongly advise you to upgrade to 2.1.2 ASAP.

comment:2 in reply to: ↑ 1 westi7 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Replying to Linusmartensson:

As far as I know, 2.1.1 is the Wordpress version that was deemed unsafe, someone
managed to add exploitable code to the Wordpress files on the download servers. A
critical update to 2.1.2 was released shortly thereafter.
This problem you're having sounds exactly like the exploited code.
I strongly advise you to upgrade to 2.1.2 ASAP.

While the reporter does need to upgrade to 2.1.2 I don't see how this issue could be caused by the code inserted into 2.1.1 by the hacker.

comment:3 rob1n7 years ago

  • Milestone 2.3 deleted

Yeah, the insecure 2.1.1 has nothing whatsoever to do with this issue...

Can anyone reproduce this? I can't seem to...

comment:4 charleshooper7 years ago

  • Component changed from General to Security
  • Keywords reporter-feedback dev-feedback added
  • Priority changed from normal to high
  • Severity changed from normal to critical
  • Summary changed from apostrophe in post creates database SQL error to Possible SQL injection vuln. Apostrophe in post creates SQL error

Do we know that for a fact? Had the cracker modified the way posts were escaped than this would be a prime example of that.

Some feedback from someone who has more details of what had been changed would be helpful.

Regardless, as far as I know 2.1.2 was not only an emergency release due to the cracker but it also added a new security fix, more information is available at http://markjaquith.wordpress.com/2007/03/03/wordpress-212-is-a-mandatory-upgrade/

Upgrade to 2.1.2 and report back to us.

comment:5 knowtown7 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Thanks everyone for the suggestion to upgrade. I completed the upgrade succesfully But the problem still occurred. While thouroughly testing I think I found the culprit. The issue is being caused by one of the plugins I was using (Scripturizer 1.5). I thought I had tested all my plugins before but I must have missed this one. I started testing each plugin one at a time and this one brings on the problem every time. I am not sure what it is about that plugin that was creating the problem but now that I have disabled it, I think all systems are go.

Sorry for wasting everyone's time for a simple test that I thought I had already done. I do appreciate all the help though.

comment:6 johnbillion7 years ago

  • Keywords reporter-feedback dev-feedback removed

comment:7 charleshooper7 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:8 charleshooper7 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.