WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 6 years ago

#4322 closed defect (bug) (fixed)

Sql injection blind fishing exploit

Reported by: DrHallows Owned by:
Milestone: 2.0.11 Priority: highest omg bbq
Severity: critical Version: 2.1.3
Component: Security Keywords: security, bug
Focuses: Cc:

Description

BIG security bug in "admin-ajax.php" sql injection blind fishing exploit
More info on: http://www.waraxe.us/ftopict-1780.html#7560

Attachments (1)

test.php (11.3 KB) - added by DrHallows 7 years ago.

Download all attachments as: .zip

Change History (5)

DrHallows7 years ago

comment:1 markjaquith7 years ago

  • Keywords security added; securtiy removed
  • Milestone changed from 2.2.1 to 2.0.11
  • Resolution set to fixed
  • Status changed from new to closed

Fixed for 2.2, 2.0.11 (soon to be released) and in trunk for 2.3

[5440]

[5441]

[5442]

comment:2 follow-up: hvdkamer7 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

According to this page:

"None of these are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained."

However version 2.1.3 is still not patched for this bug?

comment:3 in reply to: ↑ 2 westi7 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to hvdkamer:

According to this page:

"None of these are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained."

However version 2.1.3 is still not patched for this bug?

2.1.3 will not be patched.

The only security supported versions are 2.0.x and 2.2.x

This fix is in 2.2.1 which has just gone RC.

Note: See TracTickets for help on using tickets.