new wordpress 3 sql injection
- Thread starter ttime
- Start date
^^ dont know i just had plain old 3.0 i guess we will see if it was fixed with 3.02...... - dont know how it is getting in yet.
BTW: just realized michaelk is michael Kaiser screen name he is the Executive Director of the National Cyber Security Alliance - maybe the asshole finally went rogue
BTW: just realized michaelk is michael Kaiser screen name he is the Executive Director of the National Cyber Security Alliance - maybe the asshole finally went rogue
How the hell does wordpress have anything to do with bank of america? (rolls eyes)
Btw, this sql injection requires you to have AUTHOR level permissions on the blog for it to actually work (or do anything for that matter)... so unless you plan on fucking up blogs that you already have an account on (that can already edit, create and delete posts) you're SOL. Ohh.. and that'll also only work with older, non-updated versions of wordpress.
You're so late with this one, u can stop thinking about it.... it's been fixed for a while.. it's the biggest change in 3.0.2..this fix.
Wordpress.org info/bug list: #13887 (comment_whitelist checking in check_comment)
Detailed info on attack + how to pull it off: WordPress: Information Disclosure via SQL Injection Attack « WordPress « Ars Longa, Vita Brevis
Btw, this sql injection requires you to have AUTHOR level permissions on the blog for it to actually work (or do anything for that matter)... so unless you plan on fucking up blogs that you already have an account on (that can already edit, create and delete posts) you're SOL. Ohh.. and that'll also only work with older, non-updated versions of wordpress.
You're so late with this one, u can stop thinking about it.... it's been fixed for a while.. it's the biggest change in 3.0.2..this fix.
Wordpress.org info/bug list: #13887 (comment_whitelist checking in check_comment)
Detailed info on attack + how to pull it off: WordPress: Information Disclosure via SQL Injection Attack « WordPress « Ars Longa, Vita Brevis