Re: WordPress Search Function SQL-Injection

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: WordPress Search Function SQL-Injection
From: kelson@xxxxxxxxx
Date: 27 Feb 2007 22:23:32 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

This looks like the bug described here: http://trac.wordpress.org/ticket/3722
"DB error when sanitized search string results in empty query" (Filed January 
31)

According to that page:
> I guess it's also worth mentioning that commas
> _are_ being sanitized. The reason for the error is
> that once the commas are gone WordPress attempts 
> to wrap the search query with "AND ( $search )"
> 
> Since $search is null MySQL throws up an error.

The same error results from searching for just a space.  In either case, adding 
other characters to the field results in the expected query.  It doesn't look 
like injection would be possible.

Prev by Date: Xbox 360 Hypervisor Privilege Escalation Vulnerability
Next by Date: Re: WordPress Search Function SQL-Injection
Previous by thread: Re: WordPress Search Function SQL-Injection
Next by thread: Re: Re: WordPress Search Function SQL-Injection
Index(es):
- Date
- Thread