Make WordPress Core

Opened 17 years ago

Closed 17 years ago

Last modified 16 years ago

#4322 closed defect (bug) (fixed)

Sql injection blind fishing exploit

Reported by: drhallows's profile DrHallows Owned by:
Milestone: 2.0.11 Priority: highest omg bbq
Severity: critical Version: 2.1.3
Component: Security Keywords: security, bug
Focuses: Cc:

Description

BIG security bug in "admin-ajax.php" sql injection blind fishing exploit
More info on: http://www.waraxe.us/ftopict-1780.html#7560

Attachments (1)

test.php (11.3 KB) - added by DrHallows 17 years ago.

Download all attachments as: .zip

Change History (5)

@DrHallows
17 years ago

#1 @markjaquith
17 years ago

  • Keywords security added; securtiy removed
  • Milestone changed from 2.2.1 to 2.0.11
  • Resolution set to fixed
  • Status changed from new to closed

Fixed for 2.2, 2.0.11 (soon to be released) and in trunk for 2.3

[5440]

[5441]

[5442]

#2 follow-up: @hvdkamer
17 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

According to this page:

"None of these are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained."

However version 2.1.3 is still not patched for this bug?

#3 in reply to: ↑ 2 @westi
17 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to hvdkamer:

According to this page:

"None of these are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained."

However version 2.1.3 is still not patched for this bug?

2.1.3 will not be patched.

The only security supported versions are 2.0.x and 2.2.x

This fix is in 2.2.1 which has just gone RC.

Note: See TracTickets for help on using tickets.