Ticket #3722 (closed defect: fixed)

Opened 1 year ago

Last modified 1 year ago

DB error when sanitized search string results in empty query

Reported by: zippity Assigned to: charleshooper
Priority: normal Milestone: 2.1.2
Component: General Version: 2.1
Severity: normal Keywords: has-patch needs-testing 2nd-opinion
Cc:

Description

When entering a comma "," into the search function, you get the following error displayed at top of page:

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_dat' at line 1] SELECT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts WHERE 1=1 AND () AND ((post_status = 'publish' OR post_status = 'private')) ORDER BY post_date DESC LIMIT 0, 10


Multiple commas produce the same result.
If you enter anything in addition to the comma, it works fine.

Attachments

wp_search.diff (0.8 kB) - added by charleshooper on 01/31/07 01:48:23.
Single comma search "hack"

Change History

01/31/07 01:00:19 changed by Viper007Bond

Confirmed.

01/31/07 01:48:23 changed by charleshooper

  • attachment wp_search.diff added.

Single comma search "hack"

01/31/07 01:54:51 changed by charleshooper

  • owner changed from anonymous to charleshooper.

This is kind of a hack actually. This basically just gets rid of the extra SQL formatting if $search is empty, thus getting rid of the database error when a user submits a single comma as a search term.

The result?

When a user submits a single comma search all _published_ posts are returned.

Everything else seems OK though.

01/31/07 02:20:00 changed by charleshooper

  • keywords set to has-patch needs-testing 2nd-opinion.
  • status changed from new to assigned.

01/31/07 02:46:39 changed by charleshooper

  • component changed from Security to General.
  • summary changed from Search string does not sanitize commas to DB error when sanitized search string results in empty query.

I guess it's also worth mentioning that commas _are_ being sanitized. The reason for the error is that once the commas are gone WordPress attempts to wrap the search query with "AND ( $search )"

Since $search is null MySQL throws up an error.

02/21/07 15:34:43 changed by Nazgul

  • milestone changed from 2.1.1 to 2.1.2.

02/21/07 15:59:45 changed by Nazgul

The patch also fixes #3722.

02/21/07 16:00:25 changed by Nazgul

I meant #3759.

02/22/07 01:54:30 changed by ryan

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [4911]) Handle empty search query. Props charleshooper. fixes #3722 #3759

02/22/07 01:55:18 changed by ryan

(In [4912]) Handle empty search query. Props charleshooper. fixes #3722 #3759

02/28/07 00:20:19 changed by foolswisdom

Is labeled an WordPress Search Function SQL-Injection on seclists today.

03/10/07 02:53:00 changed by charleshooper

That's pretty annoying. Even without the fix there is no SQL injection vulnerability there whatsoever. The error is caused by an empty set of parenthesis. The keyword here is EMPTY.

I had spent a good deal of time making sure nothing could be passed to the query string (before and after this fix,) but I guess all it takes to post to a security mailing list is an email address.