Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#44861 closed defect (bug) (invalid)

equals sign in WordPress Gutenberg post triggers SQL injection attack on Server

Reported by: jamesfroggatt's profile jamesfroggatt Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.9.8
Component: Editor Keywords: reporter-feedback close
Focuses: Cc:


I am using WordPress 4.9.8 and use Gutenberg.

There appears to be a serious problem when using the = symbol in posts.

This triggers a firewall on my host that then blocks ALL requests to the server from my IP.

I have a feeling that in the wordpress code, the = symbol is not 'escaped' so Failed Update occurs and indeed the server itself then permanently blocks my IP as posting this symbol seems to appear like an SQL injection attack.

The simple solution is to not include the = sign in posts and just write 'equals' but obviously not ideal.

Thank you

Change History (4)

#1 @mukesh27
6 years ago

  • Focuses performance added
  • Keywords needs-patch needs-screenshots good-first-bug added

#2 @knutsp
6 years ago

  • Focuses performance removed
  • Keywords reporter-feedback close added; good-first-bug removed
  • Severity changed from critical to normal

Does this happen when using the classic editor, or only when using Gutenberg, which is a plugin not maintained on this Trac?

Either way, probably not a bug in Core or Gutenberg, but a server misconfiguration.

#3 @ayeshrajans
6 years ago

It is likely that a security filter sitting between Wordpress is blocking such requests, such as Apache mod_security.

#4 @SergeyBiryukov
6 years ago

  • Keywords needs-patch needs-screenshots removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Hi @jamesfroggatt, welcome to WordPress Trac! Thanks for the report.

I have a feeling that in the wordpress code, the = symbol is not 'escaped'

Right, but it's perfectly fine to use in post content, so I don't see why it should be escaped.

It looks like the symbol triggers some overzealous security rule on your server. Please try the support forums for troubleshooting:

Related: #25564, #25736, #32571.

Note: See TracTickets for help on using tickets.