Ticket #2046 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

wp-register.php has outdated email checking

Reported by: sehh Assigned to: anonymous
Priority: normal Milestone:
Component: Security Version: 2.0
Severity: normal Keywords:
Cc: sjmurdoch

Description

Currently, wp-register.php checks if the username already exists by running the "username_exists" function found in wp-includes/registration-functions.php.

Next, wp-register.php checks if the email address already exists. Unfortunately, there isn't a valid function like "useremail_exists". Instead, wp-register.php runs a SELECT statement directly.

In addition, the select statement IS NOT SECURE, it doesn't escape characters for the email address variable $user_email.

I believe a proper function useremail_exists() should be created within wp-includes/registration-functions.php which does the email checking properly.

I'll try to see if i can come up with a patch.

Thank you.

Change History

02/05/06 17:27:23 changed by sjmurdoch

  • cc set to sjmurdoch.

I am not very experienced with exploiting MySQL injection vulnerabilities, but I haven't been able to use this bug to execute arbitrary SQL. As I understand it, Wordpress uses magic_quotes on all variables, which will escape \, " and '. From empirical tests, this is what actually happens. Perhaps something like mysql_real_escape_string() would be better, which additionally escapes \x00, \n, \r, and and \x1a, although I have not found a good explanation why.

02/09/06 08:11:31 changed by matt

  • status changed from new to closed.
  • resolution set to fixed.

(In [3507]) Better email error checking, fixes #2046