WebApp Sec mailing list archives

Re: [CentOS] WordPress possilbe SQL injections [was: SELinux - way of the future or good idea but !!!]

From: Leonard den Ottolander <leonard () den ottolander nl>
Date: Wed, 22 Dec 2010 16:49:31 +0100

On Tue, 2010-12-21 at 13:44 +0100, Leonard den Ottolander wrote:

The patch shown in
http://core.trac.wordpress.org/changeset/16625

prompted me to try a

$ grep -r "\=\ \%s\"" *

in the web root of a WordPress installation. The matches are a bunch of
possible SQL injections. Haven't checked the actual code paths,


This turned out to a wild goose chase: For all matches the substituted
strings are being quoted via wpdb->prepare().

Regard,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

WordPress possilbe SQL injections [was: SELinux - way of the future or good idea but !!!] Leonard den Ottolander (Dec 21)
- Re: [CentOS] WordPress possilbe SQL injections [was: SELinux - way of the future or good idea but !!!] Leonard den Ottolander (Dec 22)