Re: Sql injection in WordPress 2.1.2

To: "Omid" <omid@xxxxxxxxxx>
Subject: Re: Sql injection in WordPress 2.1.2
From: steven@xxxxxxxxxxx
Date: Fri, 9 Mar 2007 13:39:22 -0800 (PST)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <df2d38266ad39d64a9698c02006cb78c.hackers@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <df2d38266ad39d64a9698c02006cb78c.hackers@xxxxxxxxxx>
User-agent: SquirrelMail/1.4.9a

Care to provide a demonstration exploit then?  You do realize that
$new_cat is just a variable pulled from the $add_cats array, right?  Show
everyone how you are going to inject SQL into the list of categories.


> Hello,
>
> There is a sql injection in WordPress 2.1.2 (and maybe others) .
> A user with "add link" permission (Editor/Administrator) can do this :
>
> The '$new_cat' variable in "wp_set_link_cats()" function is not checked
> properly before be used in the sql query :
>
> File /wp-admin/admin-db.php, Line 472 :
>
>                       $wpdb->query("
>                               INSERT INTO $wpdb->link2cat (link_id, 
> category_id)
>                               VALUES ($link_ID, $new_cat)");
>
>
> - Omid
>

References:
- Sql injection in WordPress 2.1.2
  - From: Omid

Prev by Date: Re[2]: [Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
Next by Date: [ MDKSA-2007:060 ] - Updated kernel packages fix multiple vulnerabilities and bugs
Previous by thread: Sql injection in WordPress 2.1.2
Next by thread: Remote File Include In Script copyright (c) James Coyle; JCcorp
Index(es):
- Date
- Thread