WebApp Sec mailing list archives
Re: [CentOS] WordPress possilbe SQL injections [was: SELinux - way of the future or good idea but !!!]
From: Leonard den Ottolander <leonard () den ottolander nl>
Date: Wed, 22 Dec 2010 16:49:31 +0100
On Tue, 2010-12-21 at 13:44 +0100, Leonard den Ottolander wrote:
The patch shown in http://core.trac.wordpress.org/changeset/16625 prompted me to try a $ grep -r "\=\ \%s\"" * in the web root of a WordPress installation. The matches are a bunch of possible SQL injections. Haven't checked the actual code paths,
This turned out to a wild goose chase: For all matches the substituted strings are being quoted via wpdb->prepare(). Regard, Leonard. -- mount -t life -o ro /dev/dna /genetic/research This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- WordPress possilbe SQL injections [was: SELinux - way of the future or good idea but !!!] Leonard den Ottolander (Dec 21)
- Re: [CentOS] WordPress possilbe SQL injections [was: SELinux - way of the future or good idea but !!!] Leonard den Ottolander (Dec 22)