SQL injection bug report.
WordPress 1.5 has an SQL-injection vulnerability. Sorry if this is the wrong forum for this sort of thing, but there doesn’t seem to be a place that says “report bugs here”.
Anyway, on the change-password screen (wp-admin/profile.php), the code looks like so:
$updatepassword = "user_pass=MD5('$newuser_pass'), ";
$wpdb->query("UPDATE $wpdb->users SET user_firstname='$newuser_firstname', $updatepassword ...
so for some reason the author of this code decided to defer the MD5 operation to the RDBMS rather than doing it in memory. Anyway, this piece of fancy interpolation is buggy, because the password is not guaranteed to be quote-free.
Putting a quotation mark in the new password breaks the page, (“your session has expired”), but more importantly opens up the entire database to sql injection attack.
- The topic ‘SQL injection bug report.’ is closed to new replies.