Ticket #2769 (closed defect: fixed)

Opened 2 years ago

Last modified 2 years ago

Non-integer provided as page_id reveals a bug on pages list

Reported by: pcdinh Assigned to: markjaquith
Priority: normal Milestone:
Component: General Version: 2.1
Severity: major Keywords:
Cc:

Description

I work with Wordpress 2.1 alpha1 build 2/6/2006 and find that if I send a request like this

http://path/wordpress/?page_id=, or

http://192.168.1.104/php/wordpress/?page_id=char()

or

http://192.168.1.104/php/wordpress/?page_id=%3Cscript%3E

Live example: http://www.binarymoon.co.uk/?page_id=%22.%22%20or%201%20=%201%22.

I will have a list of all pages following by comments blocks displayed repeatly. It means that page_id is not checked against integer values.

Thanks

pcdinh

Change History

06/02/06 07:17:33 changed by markjaquith

  • owner changed from anonymous to markjaquith.
  • status changed from new to assigned.
  • component changed from Security to General.
  • severity changed from critical to major.
  • summary changed from Security implication: Sql injection on page_id reveals a bug on pages list to Non-integer provided as page_id reveals a bug on pages list.

It seems that if page_id is not an integer, it is removed from the query altogether (latest trunk) 

ELECT * FROM wp_posts  WHERE (post_type = 'page' AND post_status = 'publish')    ORDER BY post_title ASC

No SQL injection potential. Although, blank page_id should probably run a front page query, not a query of all pages!

I'm taking away the "security" marking for this bug, because non-integer data isn't be inserted into the query. In the future, if you thing you've identified a security issue, please send it to security@wordpress.org

08/30/06 09:41:42 changed by ryan

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [4132]) Cast page_id to int before deciding if is_page. fixes #2769

09/25/06 02:14:45 changed by ryan

(In [4232]) Cast page_id to int before deciding if is_page. fixes #2769

09/25/06 04:17:57 changed by foolswisdom

  • milestone changed from 2.1 to 2.0.5.

11/30/06 19:41:51 changed by

  • milestone deleted.

Milestone 2.0.5 deleted